b'    October 24, 2005\n\n\n\n\nInformation Technology\nManagement\n\nReport on Defense Departmental\nReporting System and Related\nFinancial Statement Compilation\nProcess Controls Placed in Operation\nand Tests of Operating Effectiveness\nfor the Period October 1, 2004\nthrough March 31, 2005\n(D-2006-008)\n\n                  Department of Defense\n                 Office of Inspector General\n\n                                   Constitution of\n                                  the United States\n\n     A Regular Statement of Account of the Receipts and Expenditures of all public\n     Money shall be published from time to time.\n                                                             Article I, Section 9\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, visit the Web site of the Department of\nDefense Inspector General at http://www.dodig.mil/audit/reports or contact the\nSecondary Reports Distribution Unit, Audit Followup and Technical Support at\n(703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact Audit Followup and\nTechnical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\nIdeas and requests can also be mailed to:\n\n                  ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                          Arlington, VA 22202-4704\n\x0c                                        INSPECTOR GENERAL\n                                   DEPARTMENTOFDEFENSE\n                                    400 ARMY NAVY DRIVE\n                               ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                            October 24,2005\n\n\nMEMORANDUM FOR THE UNDER SECRETARY OF DEFENSE\n                    (COMPTROLLERICHIEF FINANCIAL OFFICER)\n                   DEPUTY CHIEF FINANCIAL OFFICER\n                   DEPUTY COMPTROLLER (PROGRAMBUDGET)\n                   DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                     SERVICE\n                   DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY\n\nSUBJECT: Report on the Defense Departmental Reporting System and Related Financial\n         Statement Compilation Process Controls Placed in Operation and Tests of Operating\n         Effectiveness for the Period October 1,2004 through March 3 1,2005\n         (Report No. D-2006-008)\n\n        We are providing this report for information and use. No written response to this report\nis required. Therefore, we are publishing this report in final form.\n       We appreciate the courtesies extended to the staff. Questions should be directed to Mr.\nMichael Perkins at (703) 325-3557 (DSN 221-3557) or Mr. G. Marshall Grimes at\n(703) 428-1056 (DSN 328-1056). The team members are listed inside the back cover.\n                                        By direction of the Deputy Inspector General for Auditing:\n\n\n\n\n                                    \'   Assistant inspector General\n                                        Defense Financial Auditing\n                                               Service\n\x0cTable of Contents\n\nForeword                                                                              i\n\nSection I\n   Independent Service Auditors\xe2\x80\x99 Report                                               1\n\nSection II\n   Description of the Defense Departmental Reporting System and Related Financial\n   Statement Compilation Process Operations and Controls Provided by the Defense\n   Finance and Accounting Service and the Defense Information Systems Agency         15\n\nSection III\n   Control Objectives, Control Activities, and Tests of Operating Effectiveness      27\n\nSection IV\n   Supplemental Information Provided by the Defense Information Systems Agency      171\n\nAcronyms and Abbreviations                                                          175\n\nReport Distribution                                                                 177\n\x0c                                          FOREWORD\n\n\nThis report is intended for the use of DFAS and DISA management, its user organizations, and\nthe independent auditors of its user organizations. Department of Defense personnel who\nmanage and use the Defense Departmental Reporting System (DDRS) will also find this report\nof interest as it contains information about DDRS general and application controls.\n\nThe Department of Defense, Office of Inspector General (DoD OIG) is implementing a long\nrange strategy to conduct audits of DoD financial statements. The Chief Financial Officers Act\nof 1990 (P.L. 101-576), as amended, mandates that agencies prepare and conduct audits of\nfinancial statements, which is key to achieving the goals of the Chief Financial Officers Act.\n\nThe DDRS provides tools for DoD financial managers to produce audited financial statements,\nunaudited interim financial statements, and budgetary reports. The mission of DDRS is to\nstandardize the departmental reporting process, produce financial statements and budgetary\nreports based on Federal requirements and standard attributes, and replace legacy departmental\nand command-level reporting processes.\n\nThis audit assessed controls over the DDRS processes at DFAS and DISA. This report provides\nan opinion on the fairness of presentation, the adequacy of design, and the operating\neffectiveness of key controls that are relevant to audits of user organization financial statements.\nAs a result, this audit precludes the need for multiple audits of DDRS controls previously\nperformed by user organizations to plan or conduct financial statement and performance audits.\nThis audit will also provide, in a separate audit report, recommendations to management for\ncorrection of identified control deficiencies. Effective internal control is critical to achieving\nreliable information for all management reporting and decision making.\n\n\n\n\n                                                  i\n\x0cSection I: Independent Service Auditors\xe2\x80\x99 Report\n\n\n\n\n                       1\n\x0c\x0c                                      INSPECTOR GENERAL\n                                    DEPARTMENTOFDEFENSE\n                                     400 ARMY NAVY DRIVE\n                                ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                        October 24,2005\n\n\nMEMORANDUM FOR THE UNDER SECRETARY OF DEFENSE\n                    (COMPTROLLERICHIEF FINANCIAL OFFICER)\n                   DEPUTY CHIEF FINANCIAL OFFICER\n                   DEPUTY COMPTROLLER (PROGRAMJBUDGET)\n                   DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                    SERVICE\n                   DIRECTOR, DEFENSE INFORMATION SYSTEMS AGENCY\n\n\nSUBJECT: Report on the Defense Departmental Reporting System and Related\n         Financial Statement Compilation Process Controls Placed in Operation and Tests of\n         Operating Effectiveness for the Period October 1,2004 through March 3 1,2005\n\nWe have examined the accompanying description of the Defense Departmental Reporting\nSystem (DDRS) general computer and application controls and the related financial statement\ncompilation process (Section 11). DDRS and the financial statement compilation process are\nsponsored and used by the Defense Finance and Accounting Service (DFAS). The DDRS\nsystem is jointly maintained and techcally supported by DFAS and the Defense Information\nSystems Agency (DISA). Our examination included procedures to obtain reasonable assurance\nabout whether: (1) the accompanying description presents fairly, in all material respects, the\naspects of the controls at DFAS and DISA that may be relevant to a DDRS user organization\'s\ninternal control as it relates to an audit of financial statements; (2) the controls included in the\ndescription were suitably designed to achieve the control objectives specified in the description,\nif those controls were complied with satisfactorily and user organizations applied those aspects\nof internal control contemplated in the design of the controls at DFAS and DISA; and (3) such\ncontrols had been placed in operation as of March 3 1,2005.\nThe control objectives were specified by the Department of Defense, Office of Inspector General\n(DoD OIG) and accepted by DFAS and DISA. Our examination was performed in accordance\nwith standards established by the American Institute of Certified Public Accountants and the\nstandards applicable to financial audits contained in Government Auditing Standards, issued by\nthe Comptroller General of the United States, and included those procedures we considered\nnecessary in the circumstances to obtain a reasonable basis for rendering our opinion.\nThe accompanying description includes only those general computer and application control\nobjectives and control activities related to the unclassified aspects of DDRS and its related\noperations. Also, the accompanying description includes those general computer and application\ncontrol objectives and control activities related to the receipt and processing of financial data\nfrom user locations, but does not include general computer and application controls related to the\nsystems that generate and submit user financial data to DDRS. In addition, the accompanying\ndescription includes those general and application control objectives and related control activities\napplicable to the "DDRS Audited Financial Statements Module" (DDRS-AFS), the "DDRS Data\n\x0cCollection Module\xe2\x80\x9d (DDRS-DCM), and the related financial statement compilation process, but\ndoes not include such objectives and activities related to the \xe2\x80\x9cDDRS Budgetary Module\xe2\x80\x9d\n(DDRS-B). The accompanying description includes only those general control objectives and\nrelated controls resident at DFAS centers in Arlington, Virginia; Cleveland, Ohio; Indianapolis,\nIndiana; and the DISA Defense Enterprise Computing Center (DECC) at Ogden, Utah. Further,\nthe accompanying description includes only those application control objectives and related\ncontrol activities resident at the DFAS centers located at Arlington, Virginia; Cleveland and\nColumbus, Ohio; Denver, Colorado; and Indianapolis, Indiana.\n\nOur examination was conducted for the purpose of forming an opinion on the description of the\nDDRS-AFS general and application controls at DFAS and DISA (Section II and the control\nactivities described in Section III). Information about business continuity plans and procedures\nat DISA, as provided by DISA and included in Section IV, is presented to provide additional\ninformation to user organizations and is not a part of the description of controls at DFAS and\nDISA. The information in Section IV has not been subjected to the procedures applied in the\nexamination of the aforementioned description of the controls at DFAS and DISA related to\nDDRS-AFS and the related financial statement compilation process. Accordingly, we express no\nopinion on the description of the business continuity plans and procedures provided by DISA.\n\nIn performing our examination, we identified design deficiencies in five of 15 application control\nobjectives (33 percent) that had been placed in operation as of March 31, 2005. The five\nidentified design deficiencies were as follows:\n\n   Trial Balance Input to DFAS for Processing to DDRS-AFS\n\n   The accompanying description includes control activities related to DFAS processing of user\n   organizations\xe2\x80\x99 trial balances for input into DDRS-AFS. The description is based on the\n   assumption that user organization trial balances received at DFAS may not be in full\n   compliance with federal financial reporting requirements; thus requiring adjustment prior to\n   upload to DDRS-AFS. DFAS controls were designed to derive certain proprietary accounts\n   from budgetary accounts, usually from the \xe2\x80\x9cReport on Budget Execution and Budgetary\n   Resources (SF-133),\xe2\x80\x9d and, at DFAS-Denver, some budgetary accounts were derived from\n   proprietary accounts. As certain user organizations improve their accounting and reporting\n   systems and processes, some or all of their submitted data may be accurately presented and\n   may not require adjustment prior to upload to DDRS-AFS based on the prescribed derivation\n   assumptions. Also, DFAS processing and revision of user accounting information for input\n   to DDRS-AFS was not designed to provide appropriate segregation of duties at the DFAS\n   centers in Cleveland, Ohio; Columbus, Ohio; and Denver, Colorado. There was no formal\n   acceptance of user organization trial balances at these DFAS centers. Further, for these\n   DFAS centers, the processes for preparing the trial balances for input were not approved by\n   either the center or DFAS-Arlington.\n\n   As a result, the design of controls did not provide reasonable assurance that the control\n   objective, \xe2\x80\x9cControls provide reasonable assurance that trial balance data manually migrated\n   into DDRS-AFS is accurate, authorized, and complete, and that data from the Report on\n   Budget Execution and Budgetary Resources (SF-133), or other feeder systems, is input\n   accurately into DDRS-AFS, and any reclassifications are authorized, approved, and\n   monitored by an audit trail,\xe2\x80\x9d was achieved (Local Unique Processes control objective # 1).\n\n   Trading Partner Eliminations\n\n   The accompanying description includes control activities related to the elimination in\n   DDRS-AFS of trading partner transactions as part of the process of consolidating the\n                                             4\n\x0cDepartment\xe2\x80\x99s financial statements. However, the trading partner elimination process was\nbased on the inability of certain user organizations in DoD to reconcile data from the buyer\nand seller in most intragovernmental transactions at the transaction level. Therefore, DFAS\ndeveloped controls for the eliminations process in DDRS-AFS that relied on the seller-side of\nthese transactions, adjusting the buyer-side data to agree with the seller-side data at a\nsummary level. This process was established in DoD Financial Management Regulation\n(FMR), Volume 6B, Chapter 13. However, the DDRS-AFS process of relying on seller-side\ndata was not designed to include controls for reconciling differences between seller-side data\nand buyer-side data at the transaction level.\n\nAs a result, the design of controls did not provide reasonable assurance that the control\nobjective, \xe2\x80\x9cControls are in place to ensure that trading partner data are supported by adequate\ndocumentation or valid estimating methodology. Controls provide reasonable assurance that\nDDRS has processes for determining the integrity of data flowing through the system, and\ntrading partners are input and updated completely and accurately. Reports can identify the\nimpact of trading partners on statement presentation,\xe2\x80\x9d was achieved (Audited Financial\nStatements Module control objective # 4).\n\nTrial Balance Input to DDRS-AFS and DFAS Center-Level User Access\n\nThe accompanying description includes control activities related to the input of trial balances\nand adjustments into DDRS-AFS. However, the description did not include controls to\nensure that adjustment of beginning and ending balances were reviewed and approved. Users\ncould circumvent the journal voucher approval process by posting adjustments to trial\nbalances.\n\nAs a result, the design of controls did not provide reasonable assurance that the control\nobjective, \xe2\x80\x9cControls provide reasonable assurance that data transmissions between DDRS\nand user organizations are authorized, complete, accurate, and secure,\xe2\x80\x9d was achieved\n(Audited Financial Statements Module control objective # 6).\n\nThe accompanying description includes control activities related to user access to\nDDRS-AFS. However, controls were designed to provide for access to DDRS-AFS on a\ncenter-level basis, instead of by responsible work area.\n\nAs a result, users may be provided access to more information than they actually need to\nconduct their assigned functions. DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\nImplementation,\xe2\x80\x9d at Attachment 4 to Enclosure 4, \xe2\x80\x9cEnclave and Computing Environment,\nECLP-1,\xe2\x80\x9d \xe2\x80\x9cLeast Privilege,\xe2\x80\x9d states that access procedures enforce the principles of separation\nof duties and \xe2\x80\x9cleast privilege.\xe2\x80\x9d\n\nAs a result, the design of controls did not provide reasonable assurance that the control\nobjective, \xe2\x80\x9cUnbalanced trial balances are flagged, but not reported until in balance. Controls\nprovide reasonable assurance that application users are appropriately identified and\nauthenticated, and that access to the application and output is restricted to authorized users\nfor authorized purposes. Controls provide reasonable assurance that trial balances input is\naccurate and recorded in the proper period,\xe2\x80\x9d was achieved (Audited Financial Statements\nModule control objective # 6).\n\nUnited States Standard General Ledger Account Maintenance\n\nThe accompanying description includes control activities related to United States Standard\nGeneral Ledger (USSGL) account maintenance control. However, DDRS-AFS controls did\n                                         5\n\x0c    not preclude USSGL reference and reporting table changes from being made in the\n    production environment during periods of high activity. Changes or updates to the\n    DDRS-AFS reference and reporting tables were made at the same time users were entering\n    live data. Changes or updates to the USSGL reference and reporting tables during peak\n    processing periods such as quarterly reporting cycles increased the risk that balances may be\n    entered inaccurately. Additionally, the DDRS Program Management Office (PMO) did not\n    have a documented review and approval process in place to verify the accuracy and\n    completion of changes to the USSGL that were requested by DFAS-Arlington.\n\n    As a result, the design of controls did not provide reasonable assurance that the control\n    objective, \xe2\x80\x9cControls provide reasonable assurance that only valid and accurate changes are\n    made to DDRS reference tables, Department reporting tables, and other critical system\n    components; these changes are input and processed timely. Controls provide reasonable\n    assurance new accounting line items are promptly added to the reference tables and obsolete\n    accounts are promptly removed, and only valid accounts are added to the reference table,\xe2\x80\x9d\n    was achieved (Audited Financial Statements Module control objective # 7).\n\n    Data Collection Module\n\n    The accompanying description includes control activities related to determining the integrity\n    of data flowing from the Data Collection Module (DCM) to DDRS-AFS. However, the\n    design of controls allowed DDRS-AFS users in Columbus, Ohio and Indianapolis, Indiana to\n    circumvent embedded controls by rekeying DCM data into DDRS-AFS instead of using the\n    automated interface function. There was no requirement that these balances be marked\n    \xe2\x80\x9capproved\xe2\x80\x9d prior to being rekeyed into DDRS-AFS. At DFAS-Indianapolis, balances were\n    not approved before they were rekeyed into DDRS-AFS. This circumvention of controls\n    increased the risk of erroneous data being entered into DDRS-AFS.\n\n    As a result, the design of controls did not provide reasonable assurance that the control\n    objective, \xe2\x80\x9cControls provide reasonable assurance that DDRS has systems or processes for\n    determining the quality and integrity of data flowing through the system, and balances are\n    input and updated completely and accurately,\xe2\x80\x9d was achieved (Data Collection Module\n    Interfacing control objective #1).\n\nIn our opinion, the accompanying description of general computer and application controls at\nDFAS and DISA related to DDRS-AFS and the related financial statement compilation process\n(Section II and the control activities in Section III) presents fairly, in all material respects, the\nrelevant aspects of the controls at DFAS and DISA that had been placed in operation as of\nMarch 31, 2005. Also, in our opinion, except for the matters described in the preceding\nparagraphs, the controls, as described, are suitably designed to provide reasonable assurance that\nthe specified control objectives would be achieved if the described controls were complied with\nsatisfactorily and user organizations applied the controls contemplated in the design of the\ncontrols at DFAS and DISA.\n\nIn addition to the procedures that we considered necessary to render our opinion as expressed in\nthe previous paragraph, we applied tests to specified controls, listed in Section III, to obtain\nevidence about their effectiveness in meeting the related control objectives described in Section\nIII, during the period from October 1, 2004 to March 31, 2005. The specific control objectives;\ncontrols activities; and the nature, timing, extent, and results of the tests are listed in Section III.\nThis information has been provided to DDRS user organizations and to their auditors to be taken\ninto consideration, along with information about the user organizations\xe2\x80\x99 internal control, when\nmaking assessments of control risk for user organizations.\n\n                                                   6\n\x0cIn performing our examination, we identified deficiencies in operating effectiveness in eight of\n15 application control objectives (53 percent), and in 32 of 82 general computer control\nobjectives (39 percent) placed in operation for the period October 1, 2004 to March 31, 2005, as\nfollows:\n\n   Journal Vouchers\n\n   As discussed in the accompanying description of controls, a purpose of DDRS-AFS is to\n   produce auditable financial statements in accordance with the Chief Financial Officers (CFO)\n   Act of 1990, the Government Management Reform Act (GMRA) of 1994, and the Federal\n   Financial Management Integrity Act (FFMIA) of 1996. The use of journal vouchers aids\n   immeasurably in producing the financial statements. Journal vouchers adjust for errors,\n   record accounting entries that have not already been recorded, and are used for month-end\n   closing and year-end processing and closing purposes. To a significant extent DDRS-AFS\n   journal vouchers were either not supported at all or lacked sufficient supporting\n   documentation. The DoD OIG previously reported unsupported accounting entries as a\n   material weakness for the Department of Defense (DoD OIG Report No. D-2005-017,\n   Independent Auditor\'s Report on the Fiscal Year 2004 DoD Agency-Wide Financial\n   Statements, November 12, 2004).\n\n   DDRS-AFS had three categories of journal vouchers that were unsupported accounting\n   entries; these were elimination balancing, adjustments to balance or reconcile in AFS (such\n   as budgetary to proprietary accounts), and adjustments of trial balances to agree with\n   budgetary status of funds reports. All three categories of unsupported journal vouchers had\n   the effect of forcing agreement of amounts without actual, credible reconciliation of the two\n   data sources at the transaction level (enabling subsequent corrective actions). These journal\n   vouchers only provided the appearance of reconciliation between the data sources without\n   actually achieving auditable reconciliation. User organizations\xe2\x80\x99 systems and processes did\n   not provide sufficient information to DDRS-AFS to enable an efficient reconciliation, and\n   the time pressures related to the financial statement preparation process did not provide\n   adequate time for the extensive manual reconciliation processes required to prepare and\n   process appropriate correcting adjustments to the transactions. Also, some journal vouchers\n   were not approved by the appropriate level of authority (established by Chapter 2, Volume\n   6A, of the FMR) prior to entry into AFS. DFAS staff informed us that if they followed FMR\n   policy on journal voucher approval authority, the financial statements would not be\n   completed by the due dates. However, the entry of journal vouchers into DDRS-AFS\n   without appropriate review and approval could result in the entry of unsupported journal\n   vouchers.\n\n   As a result, the control objective, \xe2\x80\x9cControls provide reasonable assurance that Journal\n   Vouchers are supported by adequate documentation and that Journal Vouchers are approved\n   prior to entry into a DDRS table; that there are segregation of duties in the preparation of\n   Journal Vouchers; and that Journal Vouchers are in balance prior to entry into DDRS-AFS,\xe2\x80\x9d\n   may not have been achieved during the period from October 1, 2004 to March 31, 2005\n   (Audited Financial Statements Module control objective # 3).\n\n   Preparation of Financial Statements\n\n   As discussed in the accompanying description of controls, a purpose of DDRS-AFS is to\n   produce auditable financial statements in accordance with the CFO Act of 1990, the GMRA\n   of 1994, and the FFMIA of 1996. However, DoD policies related to the preparation of\n   financial statements and the template used for preparation of financial statements did not\n                                                7\n\x0cprovide for reporting a significant amount of accounting information required by the Federal\nAccounting Standards Advisory Board (FASAB) and Office of Management and Budget\n(OMB) Bulletin 01-09. Also, the mapping of accounts for the preparation of financial\nstatements in several instances relied on DoD general ledger accounts, instead of USSGL\naccount codes. Further, the mapping of accounts used for the preparation of the Statement of\nCustodial Activity did not conform to Treasury requirements. In addition, there were\nmultiple users with access to the beginning balance change role that allowed these users to\noverride beginning balances that were carried forward in DDRS-AFS.\n\nAs a result, the control objective, \xe2\x80\x9cControls provide reasonable assurance that financial\nstatements and related footnotes are produced in conformance with the reporting\nrequirements of FASAB, OMB Bulletin 01-09, and Treasury Financial Management Service.\nControls provide reasonable assurance financial statements are complete, reporting all\nmaterial financial information required by FASAB, and that automated totals in the financial\nstatements are appropriately calculated,\xe2\x80\x9d may not have been achieved during the period\nOctober 1, 2004 to March 31, 2005 (Audited Financial Statements Module control objective\n# 1).\n\nAudit Trails\n\nAs discussed in the accompanying description of controls, a purpose of DDRS-AFS is to\nproduce auditable financial statements. A key element in the auditability of financial\nstatements is the effectiveness of audit trails that allow external auditors to trace reported\namounts to supporting documentation. In DDRS-AFS, although system audit logs were\ncaptured and available for review, such logs were not reviewed on a regular basis.\n\nAs a result, the control objective, \xe2\x80\x9cControls provide reasonable assurance that DDRS-AFS\nproduces financial statements that are supported by audit trails that are adequate for the\nfinancial management entity and external auditors to trace amounts reported in the financial\nstatement back to trial balances and data from feeder systems. Controls provide reasonable\nassurance that audit trails indicate the user inputting the trial balance and the user approving\nthe trial balance. All audit trails indicate the user inputting the Journal Voucher and the user\napproving the Journal Voucher. Audit trails are reviewed on a regular basis for\nappropriateness,\xe2\x80\x9d may not have been achieved during the period from October 1, 2004\nthrough March 31, 2005 (Audited Financial Statements Module control objective # 2).\n\nValidation Controls\n\nAs discussed in the accompanying description of controls, a purpose of DDRS-AFS is to\nproduce auditable financial statements. The identification of erroneous data in trial balances\nand journal vouchers, and the correction of such data, are key elements in the auditability of\nfinancial statements. Although DDRS-AFS validation controls identified potentially\nerroneous data during reconciling processes, such data was not always communicated to the\nclient.\n\nAs a result, the control objective, \xe2\x80\x9cControls provide reasonable assurance that DDRS has\nprocesses for determining the integrity of data flowing through the system, and trial balances\nare input and updated completely and accurately. Controls provide reasonable assurance that\ndata validation and editing are performed to identify erroneous data, and that erroneous data\nare captured, reported, investigated, and corrected,\xe2\x80\x9d may not have been achieved during the\nperiod from October 31, 2004 through March 31, 2005 (Audited Financial Statements\nModule control objective # 5).\n\n                                              8\n\x0c    DDRS and DISA DECC-Ogden System Security Authorization Agreements\n\n    As discussed in the accompanying description, DoD Instruction 5200.40, \xe2\x80\x9cDepartment of\n    Defense Information Technology Security Certification and Accreditation Process\xe2\x80\x9d\n    (DITSCAP) establishes a standard, department-wide process to certify and accredit\n    information systems. The DDRS-AFS application and the DISA system enclave that\n    supports the application each have a separate System Service Authorization Agreement\n    (SSAA). However, the SSAA for DISA DECC-Ogden was not kept up to date in accordance\n    with DITSCAP standards and the DDRS SSAA was not complete.\n\n    As a result, the following control objective, \xe2\x80\x9cThe security plan is kept current,\xe2\x80\x9d may not have\n    been achieved during the period from October 1, 2004 to March 31, 2005 (General Computer\n    Controls control objective # 3).\n\n    System Authorization Access Request Forms\n\n    As discussed in the accompanying description, DoD Instruction 8500.2, \xe2\x80\x9cInformation\n    Assurance (IA) Implementation,\xe2\x80\x9d requires access control mechanisms to ensure that data is\n    accessed and changed only by authorized individuals and that registration to receive a user\n    ID includes authorization by a supervisor. The \xe2\x80\x9cSystem Authorization Access Request\n    (SAAR)\xe2\x80\x9d form 1 was designed to control user access to DDRS. However the SAAR form\n    was not always completed or omitted critical information. For example:\n\n        \xe2\x80\xa2   SAAR forms were not always authorized by the Information Assurance Officer.\n        \xe2\x80\xa2   SAAR forms were not always authorized by the Functional Data Owner (FDO).\n        \xe2\x80\xa2   One DDRS user did not have a SAAR form on file.\n        \xe2\x80\xa2   For some users, the type of access granted to DDRS was inconsistent with the type of\n            access authorized on the SAAR form.\n        \xe2\x80\xa2   Prior to 2004, the SAAR form did not contain enough detail to indicate specific\n            DDRS-AFS and DDRS-DCM roles. Previously submitted SAAR forms had not been\n            revised or updated to conform to existing access requirements and some SAAR forms\n            were missing required information, such as the justification for access or the type of\n            access requested.\n\n    As a result, the following control objectives may not have been achieved during the period\n    from October 1, 2004 to March 31, 2005:\n\n        \xe2\x80\xa2   \xe2\x80\x9cHiring, transfer, termination, and performance policies address security\xe2\x80\x9d (General\n            Computer Controls control objective # 9);\n        \xe2\x80\xa2   \xe2\x80\x9cResource owners have identified authorized users and their access authorized\xe2\x80\x9d\n            (General Computer Controls control objective # 19); \xe2\x80\x9cAdequate logical access\n            controls have been implemented at the application and Operating System layer\xe2\x80\x9d\n            (General Computer Controls control objective # 25);\n        \xe2\x80\xa2   \xe2\x80\x9cAccess is restricted to data files and software programs\xe2\x80\x9d (General Computer\n            Controls control objective # 28);\n        \xe2\x80\xa2   \xe2\x80\x9cAccess settings have been implemented in accordance with the access authorizations\n            established by the resource owners\xe2\x80\x9d (General Computer Controls control objective #\n            29);\n\n\n1 Reference to the SAAR form includes DD form 2875, DISA Form 41, and DISA and DFAS modified versions of\nthe SAAR form.\n                                                    9\n\x0c   \xe2\x80\xa2   \xe2\x80\x9cGroup authenticators for application or network access may be used only in\n       conjunction with an individual authenticator\xe2\x80\x9d (General Computer Controls control\n       objective # 44);\n   \xe2\x80\xa2   \xe2\x80\x9cAccess to program libraries is restricted to appropriate personnel\xe2\x80\x9d (General\n       Computer Controls control objective # 65);\n   \xe2\x80\xa2   \xe2\x80\x9cPolicies and techniques have been implemented for using and monitoring the use of\n       system utilities\xe2\x80\x9d (General Computer Controls control objective # 72);\n   \xe2\x80\xa2   \xe2\x80\x9cControls provide reasonable assurance that data transmissions between DDRS-AFS\n       and user organizations are authorized, complete, accurate, and secure\xe2\x80\x9d (Audited\n       Financial Statements control objective # 6);\n   \xe2\x80\xa2   \xe2\x80\x9cControls provide reasonable assurance that only valid and accurate changes are\n       made to the DDRS-AFS Reference Tables, Department Reporting Tables and other\n       critical system components; these changes are input and processed timely. Controls\n       provide reasonable assurance that new accounting line items are promptly added to\n       the reference tables and obsolete accounts are promptly removed, and only valid\n       accounts are added to the reference tables\xe2\x80\x9d (Audited Financial Statements control\n       objective # 7);\n   \xe2\x80\xa2   \xe2\x80\x9cControls provide reasonable assurance that balances entered into the DDRS-DCM\n       are supported by adequate documentation, and that balances entered into the DDRS-\n       DCM are approved prior to entry into a DDRS table\xe2\x80\x9d (Data Collection Module\n       control objective # 2); and\n   \xe2\x80\xa2   \xe2\x80\x9cControls provide reasonable assurance that data transmissions between DDRS-AFS\n       and DDRS-DCM are authorized, complete, accurate and secure. Unbalanced trial\n       balances are flagged and not reported until in balance\xe2\x80\x9d (Data Collection Module\n       Interfacing control objective # 2).\n\nDatabase Administrator Segregation of Duties\n\nAs discussed in the accompanying description, DoD Instruction 8500.2, \xe2\x80\x9cInformation\nAssurance (IA) Implementation,\xe2\x80\x9d requires that change controls for software development be\nin place to prevent unauthorized programs or modifications to programs from being\nimplemented and application programmer privileges to change production code and data be\nlimited. The DDRS database administrators located at DFAS-Indianapolis had full access to\nthe DDRS test, development, and production environments.\n\nAs a result, the following control objective, \xe2\x80\x9cAccess to program libraries is restricted to\nappropriate personnel,\xe2\x80\x9d may not have been achieved during the period from October 1, 2004\nto March 31, 2005 (General Computer Controls control objective # 65).\n\nTraining\n\nAs discussed in the accompanying description, DoD Instruction 8500.2, \xe2\x80\x9cInformation\nAssurance (IA) Implementation,\xe2\x80\x9d requires that DoD users and systems support personnel\nparticipate in periodic security awareness training. However:\n\n   \xe2\x80\xa2   The system administrator training materials used at DISA DECC-Ogden were\n       outdated.\n   \xe2\x80\xa2   Some DDRS users in DFAS-Cleveland had not attended required security awareness\n       training.\nAs a result, the following control objectives may not have been achieved during the period\nfrom October 1, 2004 to March 31, 2005:\n\n                                           10\n\x0c   \xe2\x80\xa2   \xe2\x80\x9cEmployees have adequate training and expertise\xe2\x80\x9d (General Computer Controls\n       control objective # 10); and\n   \xe2\x80\xa2   \xe2\x80\x9cA program is implemented to confirm that on arrival and periodically thereafter, all\n       personnel receive training and familiarization to perform their assigned Information\n       Assurance responsibilities\xe2\x80\x9d (General Computer Controls control objective # 11).\n\nAudit Trail Access\n\nAs discussed in the accompanying description, DoD Instruction 8500.2, \xe2\x80\x9cInformation\nAssurance (IA) Implementation,\xe2\x80\x9d requires that access to system audit trails be restricted to\nonly authorized users. DFAS-Indianapolis was unable to provide a system-generated listing\nof personnel that were assigned access to the privileged role with access to the DDRS\napplication and database audit trails. Without this listing, the appropriateness of access to\napplication and database audit trails could not be determined.\n\nAs a result, the control objective, \xe2\x80\x9cThe contents of audit trails are protected against\nunauthorized access, modification or deletion,\xe2\x80\x9d may not have been achieved during the\nperiod from October 1, 2004 to March 31, 2005 (General Computer Controls control\nobjective # 33).\n\nStandard Operating Procedures\n\nAs discussed in the accompanying description, DoD Instruction 8500.2, \xe2\x80\x9cInformation\nAssurance (IA) Implementation,\xe2\x80\x9d requires that significant system administration functions\nand procedures be documented. Standard operating procedures to guide DISA DECC-Ogden\nsystem administrators in performing their job responsibilities were not documented.\n\nAs a result, the control objective, \xe2\x80\x9cFormal procedures guide system management personnel in\nperforming their duties,\xe2\x80\x9d may not have been achieved during the period from October 1,\n2004 to March 31, 2005 (General Computer Controls control objective # 80).\n\nPhysical Access Controls\n\nAs discussed in the accompanying description, DoD Instruction 8500.2, \xe2\x80\x9cInformation\nAssurance (IA) Implementation,\xe2\x80\x9d requires DoD Agencies to have physical access controls in\nplace to restrict unauthorized access, and to have policies and procedures in place governing\nvisitor access. DFAS-Cleveland was a tenant in a Federal building that was also occupied by\nother Federal entities. Although the main entrance to the building was monitored in\naccordance with government procedures, the floors occupied by DDRS software\ndevelopment and support staff were not restricted from access by other building tenants or\nauthorized visitors. In addition, procedures governing visitor access to the building were not\ndocumented, some visit request letters were missing, and the DFAS-specific visitor sign-in\nsheet was not maintained.\n\nAs a result, the following control objectives may not have been achieved during the period\nfrom October 1, 2004 to March 31, 2005:\n\n   \xe2\x80\xa2   \xe2\x80\x9cAdequate physical security controls have been implemented\xe2\x80\x9d (General Computer\n       Controls control objective # 22); and\n   \xe2\x80\xa2   \xe2\x80\x9cVisitors are controlled\xe2\x80\x9d (General Computer Controls control objective # 24).\n\n\n\n                                            11\n\x0c   Monitoring Audit Logs\n\n   As discussed in the accompanying description, DoD Instruction 8500.2, \xe2\x80\x9cInformation\n   Assurance (IA) Implementation,\xe2\x80\x9d requires the regular review of audit trail records for\n   indications of inappropriate or unusual activity. However, DISA DECC-Ogden did not\n   proactively monitor or review operating system audit trails.\n\n   As a result, the following control objectives may not have been achieved during the period\n   from October 1, 2004 to March 31, 2005:\n\n       \xe2\x80\xa2   \xe2\x80\x9cTools are available for the review of audit records and for report generation from\n           audit records\xe2\x80\x9d (General Computer Controls control objective # 34); and\n       \xe2\x80\xa2   \xe2\x80\x9cPolicies and techniques have been implemented for using and monitoring the use of\n           system utilities\xe2\x80\x9d (General Computer Controls control objective # 72).\n\n   Software Change Controls\n\n   As discussed in the accompanying description, DoD Instruction 8500.2, \xe2\x80\x9cInformation\n   Assurance (IA) Implementation,\xe2\x80\x9d requires that authorizations for application or operating\n   software changes be documented and maintained. However:\n\n       \xe2\x80\xa2   Some software changes made by DFAS-Cleveland did not have required\n           documentation and authorization signatures on file, including Statement of\n           Agreement documents from the Functional Requirements Review (FRR), Test\n           Readiness Review and Systems Integration Testing (TRR/SIT), Test Readiness\n           Review and Functional Validation Testing (TRR/FVT), and Release Implementation\n           Readiness Review.\n       \xe2\x80\xa2   Software changes implemented by DFAS-Indianapolis on the production servers\n           could not be traced back to authorized development activities conducted by\n           DFAS-Cleveland.\n\n   As a result, the following control objectives may not have been achieved during the period\n   from October 1, 2004 to March 31, 2005:\n\n       \xe2\x80\xa2   \xe2\x80\x9cA comprehensive vulnerability management process that includes the systematic\n           identification and mitigation of software and hardware vulnerabilities is in place\xe2\x80\x9d\n           (General Computer Controls control objective # 14);\n       \xe2\x80\xa2   \xe2\x80\x9cAuthorizations for software modifications are documented and maintained\xe2\x80\x9d (General\n           Computer Controls control objective # 59);\n       \xe2\x80\xa2   \xe2\x80\x9cChanges are controlled as programs progress through testing to final approval\xe2\x80\x9d\n           (General Computer Controls control objective # 61);\n       \xe2\x80\xa2   \xe2\x80\x9cEmergency changes are promptly tested and approved before being moved into\n           production\xe2\x80\x9d (General Computer Controls control objective # 62); and\n       \xe2\x80\xa2   \xe2\x80\x9cDistribution and implementation of new or revised software is controlled\xe2\x80\x9d (General\n           Computer Controls control objective # 63).\n\nIn our opinion, except for the matters described in the preceding paragraphs, the controls that\nwere tested, as described in Section III, were operating with sufficient effectiveness to provide\nreasonable, but not absolute, assurance that the control objectives specified in Section III were\nachieved during the period from October 1, 2004 to March 31, 2005. However, the scope of our\n\n\n\n                                               12\n\x0cengagement did not include tests to determine whether control objectives not listed in Section I11\nwere achieved; accordingly, we express no opinion on the achievement of control objectives not\nincluded in Section 111.\nThe relative effectiveness and significance of specific controls at DFAS and DISA and their\neffect on assessments of control risk at user organizations are dependent on their interaction with\nthe internal control environment and other factors present at individual user organizations. We\nhave performed no procedures to evaluate the effectiveness of internal controls placed in\noperation at individual user organizations.\nThe description of the controls at DFAS and DISA is as of March 3 1,2005 and information\nabout tests of their operating effectiveness covers the period from October 1,2004 to\nMarch 3 1,2005. Any projection of such information to the future is subject to the risk that,\nbecause of change, the description may no longer portray the system in existence. The potential\neffectiveness of specific controls at DFAS and DISA is subject to inherent limitations and,\naccordingly, errors or fraud may occur but not be detected. Furthermore, the projection of any\nconclusions, based on our findings, to future periods is subject to the risk that (1) changes made\nto the system or controls, (2) changes in processing requirements, or (3) changes required\nbecause of the passage of time may alter the validity of such conclusions. This report is intended\nsolely for use by DDRS management, DDRS user organizations, and the independent auditors of\nsuch user organization.\n                                      By direction of the Deputy Inspector General for Auditing:\n\n\n\n                                      &,~aulJ. Granetto, CPA\n                                      Assistant Inspector General\n                                      Defense Financial Auditing\n                                             Service\n\x0c\x0cSection II: Description of Defense Departmental Reporting System\nand Related Financial Statement Compilation Process Operations\n  and Controls Provided by the Defense Finance and Accounting\n       Service and the Defense Information Systems Agency\n\n\n\n\n                               15\n\x0c\x0cII. Description of Defense Departmental Reporting System and\n    Related Financial Statement Compilation Process Operations\n    and Controls Provided by the Defense Finance and Accounting\n    Service and the Defense Information Systems Agency\n\nA. Overview of Operations\nDepartment of Defense\n\nThe Department of Defense (DoD) is the cabinet-level agency responsible for establishing and\nadministering defense initiatives and strategy for the United States. DoD employs approximately\ntwo million military and civilian individuals and has an annual operating budget of $371 billion.\nThe DoD is organized such that the Joint Chiefs of Staff, the Office of Inspector General, and\neach of the Military Departments report to the Office of the Secretary of Defense.\n\nDefense Finance and Accounting Service\n\nThe DFAS mission is to provide responsive, professional finance and accounting services for the\nDoD. The Director of DFAS reports to the Under Secretary of Defense (Comptroller/Chief\nFinancial Officer). DFAS is responsible for the proper accounting of resources in DoD. DFAS\nis organized such that the Director and Deputy Director oversee operations as depicted below:\n\n                                                         Director/\n                                                      Deputy Director\n\n\n                         Military &                                                           CFO/\n        Client                              Commercial Pay          Accounting                               Chief Information\n                        Civilian Pay                                                        Corporate\n      Executives                               Services              Services                                Officer\n                         Services                                                           Resources\n\n\n              Acquisition                                   Plans &              Internal               General\n                                       Policy                                                                            Chief of Staff\n             Management                                   Requirements           Review                 Counsel\n             Organization\n\n                                              .\n            DDRS Program                   Technology\n           Management Office                Services\n                                           Organization\n\n\n\n                                                                   DFAS Central Site\n                                                                      User Base\n\n\n\n\n                                                   CFO \xe2\x80\x93 Chief Financial Officer\n\n\n\n\nIn the Accounting Systems Directorate, Installation and Tactical Support Accounting Systems\nOrganization, the Program Management Office (PMO) helps to ensure continued operation of\nthe Defense Departmental Reporting System (DDRS) in accordance with DoD security and\noperational requirements. The Technology Services Organization (TSO) is responsible for\nelements of the technical administration of DDRS and provides multi-tier system support in\ncoordination with other organizations. The TSO carries out its responsibilities for many aspects\nof system support in coordination with the Centralized Directorate for Information Management\n                                                                  17\n\x0c(CDOIM), as well as decentralized Defense Office of Information Management (DOIM)\norganizations servicing other DFAS sites. CDOIM and DOIM groups are responsible for overall\nmanagement and continuance of the DDRS computer processing operations. See the\nInformation Systems and Control Environment discussions for detailed descriptions of PMO,\nTSO, CDOIM, and DOIM organizational roles relating to DDRS administration and operation.\n\nDefense Information Systems Agency\n\nDISA is a combat support agency responsible for planning, engineering, acquiring, fielding, and\nsupporting global net-centric (systems with operations distributed across a network) solutions to\nserve the needs of the President, Vice President, the Secretary of Defense, and other DoD\nComponents under all conditions of peace and war.\n\nDISA performs the following functions in support of the DDRS underlying information\ntechnology architecture:\n\n\xe2\x80\xa2   Installation and maintenance of system software, including operating systems,\n    communication networks, and file control software;\n\xe2\x80\xa2   Installation and maintenance of the Oracle database management software;\n\xe2\x80\xa2   Administration of system parameter settings in the Oracle software that provide logical\n    access control;\n\xe2\x80\xa2   Restriction of physical access to computer facilities, application programs, and data files\n    housed in the facility;\n\xe2\x80\xa2   Backup and contingency planning, including maintenance of off-site processing capabilities\n    and rotational off-site storage of critical files; and\n\xe2\x80\xa2   Logical segregation of major applications from other systems resident on the domain\n    hardware and from unauthorized external users.\n\nBy providing the services and fulfilling the responsibilities outlined above, DFAS and DISA\nrepresent service organizations that act in concert to provide finance and accounting services\nsupported by information systems and technology to DoD user organizations, including:\n\n\xe2\x80\xa2   Army Posts, Camps and Stations, such as Fort Riley and Fort Belvoir;\n\xe2\x80\xa2   Air Force, Security Assistance \xe2\x80\x93 DFAS-Denver;\n\xe2\x80\xa2   Defense Commissary Agency \xe2\x80\x93 Worldwide;\n\xe2\x80\xa2   Other Defense Agencies, such as the Defense Advanced Research Projects Agency; and\n\xe2\x80\xa2   DFAS field sites, including Pearl Harbor, Hawaii; San Antonio, Texas; Indianapolis, Indiana;\n    Orlando, Florida; Rome, New York; Lawton, Oklahoma; and Seaside, California.\n\nDISA\xe2\x80\x99s relationship with DFAS is, itself, a service organization and user organization\nrelationship. DISA provides platform hosting and systems and hardware support services to\nDFAS, a user and administrator of the DDRS application resident on the DISA-operated\nplatform. However, for the purposes of the Statement on Auditing Standards (SAS) 70/88\nexamination, DISA and DFAS are viewed as a combined service organization that delivers\ninformation systems technology-enabled finance and accounting support services.\n\n\n\n\n                                                18\n\x0cB. Relevant Aspects of the Control Environment, Risk Assessments,\n   and Monitoring\nControl Environment\n\nDefense Finance and Accounting Service. DFAS Acquisition Management Organization\n(DFAS-AMO) provides management control and coordination in DoD and has overall\nresponsibility for the DDRS system, including reviewing and maintaining the DDRS security\npolicy. The DDRS Program Management Office (PMO) provides program oversight, testing,\ntraining, data development, and customer service. The DFAS Technology Services\nOrganization, Pensacola, Florida (DFAS-TSO-PE) provides a customer contact center that\nenters, logs, and tracks customer trouble tickets. The DFAS-TSO, located in Cleveland, Ohio\n(DFAS-TSO-CL) provides DDRS software engineering and technical support. The Technology\nServices Organization Corporate Services in Indianapolis, Indiana (DFAS-TSO-CS), provides\nproduction support and database administration.\n\nAccounting office employees and contractors are required to review applicable administrative\norders, policies, and procedures with the Human Resource Office and must complete appropriate\nforms to gain access to DFAS systems. The Information Security Manager: (1) provides basic\nsystems security awareness training, (2) secures civilian and contractor signatures on the ADP\nSecurity Awareness disclosure, (3) identifies the Terminal Area Security Officer to the employee\nand explains the Terminal Area Security Officer\xe2\x80\x99s responsibilities; and (4) notifies appropriate\npersonnel to provide employee or contractor access or to immediately terminate access to DFAS\nAutomated Information System (AIS) resources when an employee or contractor processes in or\nout. The accounting and DFAS-TSO-CL facilities do not require employees to have security\nclearances before beginning employment.\n\nDFAS employees have formal job descriptions. Contractors\xe2\x80\x99 duties and deliverable descriptions,\nas well as required skills and security levels, are identified in commercial contracts.\n\nDDRS Development and Management activities follow Software Quality Assurance (SQA)\nfunctions and controls adhering to the DoD and DFAS standards established for that purpose.\nWhen implementing the DDRS SQA function, management considered two sets of controls.\nFirst, at the management level, they monitor the definition and establishment of six SQA reviews\noccurring at specific points in the life cycle of a given DDRS Release. These reviews constitute\nmilestones providing the opportunity to assess the executed work for a specific phase in the\ndevelopment process. The reviews ensure the identification of major discrepancies and risks,\nnecessary conditions to complete the current phase are satisfied, and conditions necessary to\nproceed to the next phase are in place. Second, at the development level, controls consist of a\nset of DDRS policies that have been developed to define engineering practices, determine\ndevelopment behavior, specify procedures consistent with standard engineering practices in\nadherence to the Software Engineering Institute\xe2\x80\x99s Capability Maturity Model framework, and\nmeet SQA objectives and management requirements.\n\nDFAS has formal capital planning and programming processes. Annually, the DFAS Portfolio\nManagement Directorate requires the DDRS Program Management Office (PMO) to submit a\nPortfolio Management Initiative Report. The Management Directorate conducts a review to\nensure the project continues to support DFAS\xe2\x80\x99 strategic objectives. In addition, the Office of the\nSecretary of Defense, Program Analysis and Evaluation, reviews and approves a five-year\nprogram objective memorandum describing the program\xe2\x80\x99s Planning, Programming, Budgeting,\nand Execution.\n\n                                                19\n\x0cDefense Information Systems Agency. A signed Service Level Agreement (SLA) between\nDISA and DFAS documents the support services provided by DISA to DDRS. Both agencies\nreview and update the SLA annually. The Defense Enterprise Computing Center (DECC)\nlocated at Ogden, Utah maintains and executes the DDRS system on mid-tier platforms.\nDISA DECC-Ogden is part of the Center for Computing Services in the Global Information Grid\nCombat Support Directorate, a DISA Strategic Business Unit.\n\nThe DISA Security Manager completes the processing and vetting of all new employees and\ncontractors accessing the DISA facility in Ogden. DISA employees have formal job\ndescriptions. Contractors\xe2\x80\x99 duties and deliverable descriptions are identified in commercial\ncontracts. Contracts also specify the skills and security levels required for contract staff. All\ncontractors and employees are required, at a minimum, to have a Secret clearance and a positive\nNational Agency Check.\n\nAll new employees must sign DISA Form 312, which serves as a nondisclosure agreement for\nsensitive and classified information. Terminated employees are also required to re-sign the Form\n312 to acknowledge that they understand the agency policies for sensitive and classified\ninformation. The contracting officer is responsible for confirming that all contractors assigned to\nDISA DECC-Ogden have a valid contract to operate at that location and the Security Manager\nconfirms the length of the contract and determines when system accounts should expire. All new\nemployees and contractors are required to complete DD Form 2875, \xe2\x80\x9cSystem Authorization\nAccess Request (SAAR),\xe2\x80\x9d to gain access to DISA systems and must complete security awareness\ntraining.\n\nRisk Assessments\n\nDoD Instruction 5200.40, \xe2\x80\x9cDepartment of Defense Information Technology Security\nCertification and Accreditation Process (DITSCAP),\xe2\x80\x9destablishes a standard Department-wide\nprocess, set of activities, general tasks, and management structure to certify and accredit\ninformation systems. This process maintains the information assurance and security posture of\nthe defense information infrastructure throughout the life cycle of each system. The certification\nprocess is a comprehensive evaluation of the technical and non-technical security features of an\ninformation system and other safeguards to establish the extent to which a particular design and\nimplementation meets specified security requirements and covers physical, personnel,\nadministrative, information, information systems, and communications security. The\naccreditation process is a formal declaration by the designated approval authority that an\ninformation system is approved to operate in a particular security mode using a prescribed set of\nsafeguards at an acceptable level of risk.\n\nThe DITSCAP process includes several activities that document and assess risks associated with\nDDRS. The DDRS application and the DISA system enclave that supports the application each\nhave separate System Security Authorization Agreements (SSAA) as part of the DDRS\nDITSCAP process. Each SSAA is a living document that represents an agreement between the\ndesignated approval authority, certifying authority, user representative, and program manager.\nThe DDRS SSAA documents its mission description and system identification, environment\ndescription, system architecture description, system class, system security requirements,\norganizations and resources, and the DITSCAP plan. On a periodic basis, the system security\nofficer verifies and validates DDRS compliance with information in the SSAA. These\nverification and validation procedures include, among other steps, vulnerability evaluations,\nsecurity testing and evaluation, penetration testing, and risk management reviews. DDRS was\ncertified and accredited by DFAS on December 3, 2002.\n\n\n                                                20\n\x0cThe DDRS application and enclave SSAAs document threats to DDRS and its supporting\ntechnical environment. The SSAAs also contain Residual Risk Assessments that document\nvulnerabilities noted during DDRS tests and analyses. Management updates the SSAA\nperiodically. Personnel from the Defense Finance and Accounting Service - Arlington (DFAS-\nArlington), DFAS-TSO-CS, DFAS-TSO-CL, and the Defense Information Systems Agency\n(DISA) Defense Enterprise Computing Center (DECC) Ogden, Utah (DISA DECC-Ogden)\nparticipate in these risk assessments.\n\nMonitoring\n\nManagement and supervisory personnel at DFAS and DISA monitor the performance quality and\ninternal control environment as a normal part of their activities. DFAS and DISA have\nmanagement, financial, and operational reports available to help monitor the performance of\naccounting processing as well as the DDRS system itself. Management periodically reviews\nthese reports and takes action as necessary. The system logs and reports any procedural\nproblems or exceptions to normal scheduled processing and management ensures that all issues\nare resolved in a timely manner. In addition, several other organizations in DoD perform\nmonitoring associated with DDRS-related internal controls. These organizations include:\n\n   DFAS Internal Review Office\n\nDFAS has an Internal Review Office that conducts internal audits, inspections, and\ninvestigations of the DFAS related system components that support DDRS. The DFAS Internal\nReview Office is independent of the DDRS management structure and does not manage,\nmaintain, or configure DDRS systems.\n\n   DISA Office of the Inspector General and Field Security Office\n\nDISA has an independent Office of the Inspector General that conducts internal audits,\ninspections, and investigations of DISA components that support DDRS. The Field Security\nOperations (FSO) unit periodically reviews DISA\xe2\x80\x99s security practices. DDRS system\ncomponents maintained by DISA are subject to FSO reviews. The FSO is independent of the\nDECC-Ogden management structure and does not maintain or configure DDRS systems.\n\n   Department of Defense Office of Inspector General\n\nCongress established the Department of Defense Office of Inspector General (DoD OIG) to\nconduct and supervise audits and investigations of DoD operations. The DoD OIG reports\ndirectly to the Secretary of Defense and is independent of DFAS and DISA. DDRS and the\naccounting processes it supports are part of the DoD OIG audit universe and are subject to\nfinancial, operational, and information technology audits.\n\nC. Information and Communication\nInformation Systems\n\nThe DDRS provides tools for DoD accountants to produce audited financial statements,\nunaudited interim financial statements, and budgetary reports. The DDRS-AFS module\nproduces the Statement of Budgetary Resources, Balance Sheet, Statement of Net Position,\nStatement of Net Cost, Statement of Financing, and the Statement of Custodial Activities. It also\nproduces the interim and annual financial statement report footnotes, Management Reports,\nRequired Supplementary Information (RSI), and Reconciliation Reports. The DDRS Budgetary\nmodule produces the Report on Budget Execution and Budgetary Resources (SF-133), Report on\n                                               21\n\x0cReimbursements (Supplemental 725), Appropriation Status By Fiscal Year, Program And Sub-\naccounts (DoD 1002), Accounting Report 1307 (AR 1307), Schedule of Transfers and Re-\nappropriations, and the Report on Receivables. DDRS-AFS and DDRS Budgetary report for\nboth the Defense Working Capital and General Funds. The DDRS-DCM is a sub-module of\nDDRS-AFS. DDRS-DCM captures financial data from non-financial feeder systems to support\nthe audited financial statements. DDRS-DCM collects data from the following functional\nreporting areas:\n\n\xe2\x80\xa2   Capital Leases\n\xe2\x80\xa2   Capitalized Assets\n\xe2\x80\xa2   Contingencies\n\xe2\x80\xa2   Deferred Maintenance Employee Benefits\n\xe2\x80\xa2   Environmental Liabilities \xe2\x80\x93 Non-Federal\n\xe2\x80\xa2   Federal Employees\' Compensation Act (FECA)\n\xe2\x80\xa2   Imputed Costs\n\xe2\x80\xa2   Judgment Funds\n\xe2\x80\xa2   Operating Leases\n\xe2\x80\xa2   Operating Materials & Supplies (OM&S)\n\xe2\x80\xa2   Other Liabilities\n\xe2\x80\xa2   Personal Property\n\xe2\x80\xa2   Real Property, and\n\xe2\x80\xa2   Supplementary Stewardship Information\n\nDefense Management Review Decisions 910 and 912 led to major cost-savings initiatives aimed\nat standardizing processes and consolidating finance and accounting operations and automated\ninformation systems (AISs). In November 1990, Congress passed the Chief Financial Officers\n(CFO) Act (Public Law 101-576, as amended) requiring DoD to improve financial management\nand reporting. Under Secretary of Defense Memorandum of October 13, 1993, \xe2\x80\x9cAccelerated\nImplementation of Migration Systems, Data, Standards, and Process Improvement,\xe2\x80\x9d directs\nDefense Agencies to select migration systems to be used for consolidating systems, and to\nachieve full implementation of migration systems across the same functions.\n\nThe Government Management Reform Act (GMRA) of 1994 requires federal agencies to submit\naudited financial statements to the Office of Management and Budget and the U.S. Treasury\nannually. The Federal Financial Management Improvement Act (FFMIA) of 1996 requires all\nFederal agencies to implement and maintain financial management systems that comply\nsubstantially with Federal financial management systems requirements, applicable Federal\naccounting standards, and the United States Standard General Ledger at the transaction level.\n\nDDRS Support Functions\n\nDFAS-Arlington provides management control and coordination in DoD and has overall\nresponsibility for interpretation and application of DDRS. DISA DECC-Ogden maintains and\nexecutes DDRS on mid-tier platforms. The Technology Services Organization in Cleveland,\nOhio, (DFAS-TSO-CL) which is part of DFAS, provides DDRS application technical support.\nThe Technology Services Organization Corporate Services in Indianapolis, Indiana,\n(DFAS-TSO-CS) also a part of DFAS, provides DDRS database management and administrative\nsupport.\n\nDDRS Functionality\nThe DDRS-AFS module produces the quarterly and annual CFO financial statements and the\nFederal Agencies Centralized Trial Balance System (FACTS I and II) reports for DoD. The\nDDRS-DCM captures financial data from non-financial feeder systems to support the CFO\n                                              22\n\x0cfinancial statements. All DoD reporting entities are currently using the DDRS-DCM module.\nThe DoD will standardize the budgetary reporting process and replace the legacy departmental\nbudgetary reporting systems through the implementation of the DDRS Budgetary Module.\n\nThe component-level accounting information goes through several manual processes of\nadjustment at DFAS Centers before input to the DDRS-AFS Module. The DFAS centers put\nthis accounting data through Microsoft Excel crosswalks to adjust it to common account codes\ncompliant with the USSGL. The data is also analyzed to identify data quality problems, such as\nabnormal account balances, out-of-balance trial balances, and proprietary accounts not in balance\nwith budgetary accounts. Several analytical processes are used to adjust accounting data for\nthese problems. These manual processes may not be well established in policy and may vary\nfrom center to center. At the conclusion of these processes, the data is manually input to import\nsheets for transfer to DDRS-AFS. In the Centers where the Budgetary Module has been\nimplemented, these processes are automated. The Budgetary Module has been implemented in\nthe Kansas City Center (Marine Corps Working Capital Fund), the Cleveland Center (Navy\nWorking Capital Fund), and the Denver Center (Air Force General Fund).\n\nIn addition to financial reporting, DDRS-AFS and DDRS-Budgetary provide the following\nfunctionality:\n\n\xe2\x80\xa2   report certification;\n\xe2\x80\xa2   journal voucher creation and approvals;\n\xe2\x80\xa2   memorandum creation and approvals;\n\xe2\x80\xa2   footnote creation and administration;\n\xe2\x80\xa2   financial statements and reports at lower levels;\n\xe2\x80\xa2   drill down on reports and footnotes;\n\xe2\x80\xa2   report export to Microsoft Word, Microsoft Excel, and Portable Document Format (PDF);\n\xe2\x80\xa2   reconciliation within and between reports;\n\xe2\x80\xa2   file transfer protocol or upload;\n\xe2\x80\xa2   data locking and certifying;\n\xe2\x80\xa2   data export;\n\xe2\x80\xa2   report map and crosswalk table maintenance;\n\xe2\x80\xa2   trend analysis and management reports;\n\xe2\x80\xa2   ad-hoc reporting capability;\n\xe2\x80\xa2   application security administration; and\n\xe2\x80\xa2   internal audit reporting.\n\nDDRS has over 1,100 end users at over 100 locations. The user base consists of Accountants,\nAuditors, Budget Analysts, and Financial Analysts throughout the DoD Military Departments\nand Defense Agencies.\nDDRS supports the financial reporting requirements of the DoD Comptroller and subordinate\norganizations. DDRS receives trial balance data from a variety of DoD accounting systems. The\nDDRS PMO distributes a DDRS chart of accounts with all USSGL transactions and attributes\nquarterly. DFAS accountants populate the charts of accounts and upload them to DDRS-AFS.\n\nFor those DFAS sites that have implemented the DDRS-Budgetary module, accountants upload\ndata files from local accounting systems to DDRS-Budgetary. DDRS-Budgetary translates the\ndata to the USSGL and related attributes. DDRS-Budgetary consolidates this data and produces\nprogram level trial balances that it delivers to DDRS-AFS. The Navy and Marine Corps\nWorking Capital Funds and the Air Force General Fund have implemented DDRS. DFAS plans\nto implement DDRS-Budgetary for all budgetary reporting.\n\n\n                                               23\n\x0cSystem Architecture\n\nDDRS is a web-based architecture comprised of an application server on the front-end and a\ndatabase server on the back-end, connected directly in the DISA DECC-Ogden enclave. These\nservers are connected to users and interfacing systems using the DoD-maintained networks\ncomprised of Internet Protocol based services, such as the Non-Classified Internet Protocol\nRouter Network. The network connects DDRS to a wide variety of DFAS and non-DFAS user\nsites (mainframes, mid-tiers, and personal computers) that supply or exchange data with DDRS\nprimarily through electronic file transfers. Examples of external interface sites include the\nStandard Accounting, Budgeting and Reporting System (SABRES); and the U.S. Department of\nTreasury Federal Agencies Centralized Trial Balance System (FACTS) I and FACTS II.\n\nDDRS programming languages include PLSQL, HTML, Oracle Designer, Oracle Developer,\nOracle Reports and Java. The Oracle Application Server provides security protection\nmechanisms at entry points. DISA DECC-Ogden provides the web server that services all\napplications that support DDRS. This server accepts the users\' secure web requests by supplying\na menu screen with options for each application to the DDRS Logon Screen, where individuals\nenter their DDRS login user IDs and passwords.\n\nCommunication\n\nThe Service Level Agreement (SLA) documents the support relationship between DFAS and\nDISA DECC-Ogden. Management reviews and updates this document annually. The SLA\noutlines contacts and liaisons for use when DDRS issues arise. DISA DECC-Ogden also assigns\na customer relationship manager to work with DFAS-TSO-CL to resolve any DDRS processing\nproblems or concerns.\n\nDFAS-TSO-CL and accounting office directors and managers meet weekly to discuss DDRS\nprocessing issues. There is also a Configuration Control Board, comprised of DFAS-TSO-CL,\nthe DDRS PMO, and Accounting Office personnel, to review and approve functional and\nsystemic changes to DDRS. The DDRS PMO maintains a help desk function to identify, track,\nand communicate DDRS user issues and problems to the DFAS-TSO-CL for resolution.\n\nD. Control Objectives and Related Control Activities\nThe DDRS control objectives and related control activities are included in Section III of this\nreport, \xe2\x80\x9cInformation Provided by the Service Auditor,\xe2\x80\x9d to eliminate the redundancy that would\nresult from listing them in this section and repeating them in Section III. Although the control\nobjectives and related controls are included in Section III, they are, nevertheless, an integral part\nof the description of controls.\n\nUser Organization Control Considerations.\n\nThe control activities at DFAS and DISA related to DDRS-AFS and the financial statement\ncompilation process were designed with the assumption that certain controls would be placed in\noperation at user organizations. This section describes some of the controls that should be in\noperation at user organizations to complement the controls at DFAS and DISA.\n\nUser organizations are defined as those organizations that use DDRS for the preparation of their\nquarterly and annual financial statements. User organizations provide DDRS with general ledger\ntrial balances and other financial data required for the preparation of financial statements.\nGenerally, the application of specific control activities at user organizations is necessary to\nachieve certain control objectives included in Section III of this report. User auditors are to\n                                                 24\n\x0cconsider whether these user organization controls have been placed in operation at the user\norganizations. The list of user organization controls presented below does not represent a\ncomprehensive set of all the controls that should be employed. Other controls may be required\nat user organizations depending on the specific financial and accounting circumstances of the\norganization.\n\nControls to Mitigate the Effects of DoD Material Weaknesses\n\nDDRS relies on user organizations to provide financial data, in the form of trial balances, as the\nbasic information used in the preparation of financial statements. User organizations must have\ncontrols in place to provide reasonable assurance that financial information meets Federal\nrequirements for preparation of financial statements. To the extent that user organization\ncontrols fail to achieve compliant trial balance information, the DDRS-produced financial\nstatements will also be noncompliant.\n\nOther User Organization Controls\n\nThe control activities at DFAS and DISA related to DDRS were designed with the assumption\nthat certain controls would be in placed in operation at user organizations. The application of\nsuch controls by user organizations is necessary to achieve certain control objectives identified in\nthis report. This section describes some of the controls that should be in operation at user\norganizations to complement the controls at DFAS and DISA but is not a comprehensive list of\nall controls that user organizations should employ.\n\n1. The financial closing and reporting process is documented in official policies and procedures\n   and distributed to all employees. Any changes made to the established procedures must be\n   authorized by management and communicated throughout the organization.\n\n2. Roles and responsibilities in the financial closing and reporting process are clearly defined,\n   documented, and communicated to all personnel.\n\n3. General policies are established and documented regarding permissible overrides of existing\n   policies and procedures for the financial closing and reporting process.\n\n4. As part of the financial reporting process, management and responsible personnel identify all\n   generally accepted accounting principles and federal reporting requirements affecting the\n   entity.\n\n5. Reconciliations for all significant accounts are performed and prepared timely and\n   independently reviewed.\n\n6. All required analyses are completed timely and reviewed for appropriate assumptions,\n   methodology, and evaluation of results. Unusual items and exceptions are investigated,\n   resolved and recorded in the correct accounting period.\n\n7. All trading partner events and transactions are recorded, authorized, and disclosed in the\n   correct accounting period.\n\n8. All events and transactions requiring financial statement disclosure are identified, analyzed\n   and prepared in accordance with generally accepted accounting principles and federal\n   reporting requirements.\n\n9. Disclosure checklists and instructions are used in preparing and reviewing all draft financial\n   statements and disclosures for completeness and consistency.\n                                               25\n\x0c10. All required financial statement disclosure reporting packages and analyses are prepared and\n    independently reviewed prior to submission to DFAS for further processing in DDRS-AFS.\n\nThe list of user organization control considerations presented above does not represent a\ncomprehensive set of all the controls that should be employed by user organizations. Other\ncontrols may be required at user organizations.\n\n\n\n\n                                               26\n\x0cSection III: Control Objectives, Control Activities, and Tests of\n                    Operating Effectiveness\n\n\n\n\n                               27\n\x0c\x0cIII. Control Objectives, Control Activities, and Tests of Operating\nEffectiveness\nThe information contained in this section was provided by several different entities:\n\n\xe2\x80\xa2   The control objectives were specified by the DoD OIG, and accepted by DFAS and DISA.\n\xe2\x80\xa2   The control activities were provided by DFAS and DISA.\n\xe2\x80\xa2   Section III was provided by DoD OIG.\n\nThe controls described and tested in this section are limited to those general and application\ncontrol objectives and related control activities applicable to DDRS-AFS, DDRS-DCM, and the\nrelated financial statement compilation process. The controls related to DDRS-Budgetary were\nspecifically excluded from this review. In addition, the controls related to the feeder systems\nthat are the source of much of the information in DDRS-AFS are specifically excluded from this\nreview. We did not perform procedures to evaluate the effectiveness of the input, processing,\nand output controls in DDRS-Budgetary or in these feeder systems, although we did perform\nprocedures to evaluate DDRS-AFS interface input and output controls. We did not perform any\nprocedures to evaluate the integrity and accuracy of the data contained in DDRS-AFS.\n\n\n\n\n                                                29\n\x0c\x0cGeneral Computer Controls\nCO\n               Control Objective                     Control Activity                        Test Procedure                     Results of Testing\nNo.\n      Enterprise-Wide Security Program Planning\n 1    Risks are periodically assessed.    DISA DECC-Ogden                            DISA DECC-Ogden                     DISA DECC-Ogden\n                                          Automated Security Readiness Review        Read the latest risk assessment     No relevant exceptions noted.\n                                          (SRR) scripts are run on each server and   included in the SSAA dated\n                                          reported to the Montgomery SRR             February 18, 2004, to confirm\n                                          database on a weekly basis. Each           that risks were periodically\n                                          system has a SRR and an Internet           assessed.\n                                          Security Systems scan before it is\n                                          connected to the network. The DISA         Observed the SRR process to\n                                          Field Security Office, periodic SRRs,      confirm that it occurred and that\n                                          and Internet Security System Scans.        corrective actions were tracked.\n                                          DISA DECC-Ogden conducts reviews\n                                          of the System Security Authorization       Inspected a single SRR\n                                          Agreement (SSAA), which includes the       performed by\n                                          operation facility environmental risk      DISA DECC-Ogden and\n                                          assessment that is renewed and             inspected the Vulnerability\n                                          reviewed on an annual basis.               Management System findings\n                                                                                     report to confirm findings\n                                                                                     identified by the SRR had been\n                                                                                     addressed.\n\n                                          DFAS-Arlington                             DFAS-Arlington                      DFAS-Arlington\n                                          The DDRS application security risks are    Read the latest risk assessment     No relevant exceptions noted.\n                                          randomly sampled and analyzed every        included in the SSAA to confirm\n                                          three years. These risks are reported to   that risks were periodically\n                                          DFAS Information Assurance                 assessed.\n                                          Management and are considered for\n                                          accreditation and re-accreditation every\n                                          three years.\n\n 2    A security plan is documented and   DISA DECC-Ogden                            DISA DECC-Ogden                     DISA DECC-Ogden\n      approved.                           DISA DECC-Ogden documents the              Read the DISA DECC-Ogden            No relevant exceptions noted.\n                                          security plan in the SSAA, which is        SSAA to confirm that it included\n                                          renewed and approved on an annual          a current and approved security\n                                          basis.                                     plan. Confirmed, through\n                                                                         31\n\x0cCO\n               Control Objective                      Control Activity                       Test Procedure                     Results of Testing\nNo.\n                                                                                     inquiry of the Information\n                                                                                     Assurance Manager, the process\n                                                                                     for updating the\n                                                                                     DISA DECC-Ogden SSAA and\n                                                                                     that the SSAA had been\n                                                                                     updated.\n\n                                           DFAS-Arlington                            DFAS-Arlington                     DFAS-Arlington\n                                           A SSAA was created specifically for       Read the DDRS SSAA to              No relevant exceptions noted.\n                                           DDRS to obtain an approval to operate.    confirm it had been documented,\n                                           The SSAA was approved on December         updated, and approved.\n                                           3, 2002.\n\n 3    The security plan is kept current.   DISA DECC-Ogden                           DISA DECC-Ogden                    DISA DECC-Ogden\n                                           DISA DECC-Ogden documents the             Read the DISA DECC-Ogden           The DISA DECC-Ogden SSAA\n                                           security plan in the SSAA. The security   SSAA to confirm the security       was not compliant with DITSCAP\n                                           plan is renewed, reviewed, and            plan in the SSAA had been          requirements. Specifically, the\n                                           approved on an annual basis.              documented, updated, and           DISA DECC-Ogden SSAA had six\n                                                                                     appropriately approved.            incomplete appendices.\n\n                                                                                     Read the following documents\n                                                                                     to confirm that each had been\n                                                                                     updated:\n                                                                                          \xe2\x80\xa2 DISA DECC-Ogden\n                                                                                              Systems Security\n                                                                                              Policy,\n                                                                                          \xe2\x80\xa2    Security Requirements,\n                                                                                              and,\n                                                                                          \xe2\x80\xa2 Certification Test and\n                                                                                              Evaluation Plan.\n\n                                           DFAS-Arlington                            DFAS-Arlington                     DFAS-Arlington\n                                           The DDRS SSAA is updated as needed        Read the DDRS SSAA to              The DDRS SSAA was not\n                                           and completely updated every three        confirm it had been documented,    compliant with DITSCAP\n                                           years for reaccreditation. The DDRS       updated and appropriately          requirements. Specifically, the\n                                           SSAA is in the process of being           approved.                          DDRS SSAA had 20 incomplete\n                                           updated.                                                                     sections, seven missing sections,\n                                                                                                                        and one incomplete appendix.\n\n                                                                         32\n\x0cCO\n               Control Objective                       Control Activity                       Test Procedure                     Results of Testing\nNo.\n                                                                                      Confirmed through inquiry of\n                                                                                      the Information Assurance\n                                                                                      Manager on the process for\n                                                                                      updating the DDRS SSAA and\n                                                                                      that the DDRS SSAA had been\n                                                                                      updated.\n\n                                                                                      Read the following documents\n                                                                                      to confirm that each had been\n                                                                                      updated:\n                                                                                           \xe2\x80\xa2 DDRS Systems\n                                                                                               Security Policy,\n                                                                                           \xe2\x80\xa2 Security Requirements,\n                                                                                               and\n                                                                                           \xe2\x80\xa2 Certification Test and\n                                                                                               Evaluation Plan.\n\n 4    A security management structure has   DISA DECC-Ogden                           DISA DECC-Ogden                    DISA DECC-Ogden\n      been established.                     An Information Assurance Manager and      Confirmed through inquiry that     The security management structure\n                                            Alternate Information Assurance           a management structure had         contained position titles that were\n                                            Manager have been assigned. There are     been established.                  not in accordance with DoD\n                                            Information Assurance Officers for each                                      Instruction 8500.2 requirements.\n                                            type of Operating System and Terminal     Read the DISA DECC-Ogden\n                                            Area Security Officers are assigned to    organizational chart and job       However, we confirmed through\n                                            each area.                                descriptions to confirm that all   interviews and inspection of the\n                                                                                      positions were established in      organizational chart and job\n                                                                                      writing.                           descriptions that a security\n                                                                                                                         management structure was in\n                                                                                      Read the DISA DECC-Ogden           place. As such, the intent of the\n                                                                                      SSAA to confirm that each          objective was achieved.\n                                                                                      security management position\n                                                                                      was outlined in the SSAA.\n\n                                            DFAS-Arlington                            DFAS-Arlington                     DFAS-Arlington\n                                            DDRS has an Information Assurance         Confirmed through inquiry that     No relevant exceptions noted.\n                                            Officer, Assistant Information            a management structure had\n                                            Assurance Officers, and an Information    been established.\n                                            Assurance Manager.\n\n                                                                          33\n\x0cCO\n               Control Objective                         Control Activity                         Test Procedure                      Results of Testing\nNo.\n                                                                                          Read the DDRS Program\n                                                                                          Management Office (PMO)\n                                                                                          organizational chart and job\n                                                                                          descriptions to confirm that all\n                                                                                          positions were established in\n                                                                                          writing.\n\n                                                                                          Inspected the Appointment\n                                                                                          Letters for the Information\n                                                                                          Assurance Officer, Assistant\n                                                                                          Information Assurance Officer,\n                                                                                          and the Information Assurance\n                                                                                          Manager to confirm that each\n                                                                                          had been appointed in writing\n                                                                                          with the responsibilities of their\n                                                                                          positions included in\n                                                                                          appointment letters.\n\n 5    Information security responsibilities   DISA DECC-Ogden                             DISA DECC-Ogden                      DISA DECC-Ogden\n      are clearly assigned.                   The information security responsibilities   Confirmed through inquiry that       No relevant exceptions noted.\n                                              are included in the security plan. Also     a management structure had\n                                              the security handbook identifies roles      been established.\n                                              and responsibilities.\n                                                                                          Read the DISA DECC-Ogden\n                                                                                          organizational chart and job\n                                                                                          descriptions to confirm that all\n                                                                                          positions were established in\n                                                                                          writing.\n\n                                                                                          Read the DISA DECC-Ogden\n                                                                                          SSAA to confirm that each\n                                                                                          security management position\n                                                                                          was outlined in the SSAA.\n\n\n\n\n                                                                              34\n\x0cCO\n               Control Objective                          Control Activity                         Test Procedure                       Results of Testing\nNo.\n                                              DFAS-Arlington                               DFAS-Arlington                        DFAS-Arlington\n                                              The DDRS Information Assurance               Confirmed through inquiry that        No relevant exceptions noted.\n                                              Officer, Assistant Information               a management structure had\n                                              Assurance Officers, and Information          been established.\n                                              Assurance Manager are appointed in\n                                              writing with the responsibilities attached   Read the DDRS PMO\n                                              to the appointment letters.                  organizational chart and job\n                                                                                           descriptions to confirm that all\n                                                                                           positions were established in\n                                                                                           writing.\n\n                                                                                           Inspected the appointment letters\n                                                                                           for the Information Assurance\n                                                                                           Officer, Assistant Information\n                                                                                           Assurance Officer, and\n                                                                                           Information Assurance Manager\n                                                                                           to confirm that each had been\n                                                                                           appointed in writing with the\n                                                                                           responsibilities of their positions\n                                                                                           included in appointment letters.\n\n 6    A set of rules that describe the        DISA DECC-Ogden                              DISA DECC-Ogden                       DISA DECC-Ogden\n      Information Assurance operations of     This is covered through the periodic         Confirmed through inquiry that        Rules of Behavior forms were not\n      the DoD information system and          compliance review of the UNIX                a management structure had            available for the DDRS System\n      clearly delineate Information           Security Technical Implementation            been established.                     Administrators.\n      Assurance responsibilities and          Guide (STIG), Network Infrastructure\n      expected behavior of all personnel is   Security Technical Implementation            Read the DISA DECC-Ogden\n      in place.                               Guide.                                       organizational chart and job\n                                              https://iase.disa.mil/techguid/stig/index.   descriptions to confirm that all\n                                              html                                         positions were established in\n                                                                                           writing.\n                                              DISA also ensures each new DISA\n                                              employee has received General and            Read the DISA DECC-Ogden\n                                              System Specific Rules of Behavior            SSAA to confirm that each\n                                              brief(s) from their immediate                security management position\n                                              supervisor, has signed the acceptance        was outlined in the SSAA.\n                                              form, and is cognizant of their\n                                              responsibilities in safeguarding system\n\n                                                                               35\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                       Results of Testing\nNo.\n                          security prior to being given system       Inquired with the Information\n                          access.                                    Assurance Manager on the\n                                                                     availability of the Rules of\n                                                                     Behavior for the DDRS System\n                                                                     Administrators.\n\n                          DFAS-Arlington                             DFAS-Arlington                        DFAS-Arlington\n                          The DDRS Appendix M - Personnel            Confirmed through inquiry that        Eight of 18 PMO users did not\n                          Controls and Technical Security            a management structure had            have Rules of Behavior forms on\n                          Controls, which is part of the DDRS        been established.                     file.\n                          SSAA, provides detailed descriptions of\n                          the DDRS user roles. The Personnel         Read the DDRS PMO\n                          Controls and Technical Security            organizational chart and job\n                          document also describes the roles and      descriptions to confirm that all\n                          responsibilities of the DDRS Program       positions were established in\n                          Manager, Information Assurance             writing.\n                          Officer, Terminal Area Security Officer,\n                          Database Administrators, and DDRS          Read the Appointment Letters\n                          user. Additionally, each DDRS user is      for the Information Assurance\n                          also required to read and sign the DDRS    Officer, Assistant Information\n                          Rules of Behavior that describes the       Assurance Officer, and the\n                          rules each DDRS user is to follow.         Information Assurance Manager\n                                                                     to confirm that each had been\n                                                                     appointed in writing with the\n                                                                     responsibilities of their positions\n                                                                     included in appointment letters.\n\n                                                                     Read the DDRS SSAA to\n                                                                     confirm that the security\n                                                                     management position was\n                                                                     outlined in the SSAA.\n\n                                                                     Inspected all 18 Rules of\n                                                                     Behavior forms to confirm that\n                                                                     the forms were on file for the\n                                                                     DDRS PMO staff.\n\n\n\n                                                         36\n\x0cCO\n               Control Objective                       Control Activity                         Test Procedure                      Results of Testing\nNo.\n 7    Owners and users are aware of         DISA DECC-Ogden                             DISA DECC-Ogden                      DISA DECC-Ogden\n      security policies.                    DISA DECC-Ogden maintains the               Read the Security Awareness          No relevant exceptions noted.\n                                            security awareness training program.        Training briefing slides provided\n                                            This program requires each individual       by DISA DECC-Ogden.\n                                            with network access to complete\n                                            security awareness training on an annual    Inspected all six training sign-in\n                                            basis.                                      sheets to confirm that\n                                                                                        DISA DECC-Ogden employees\n                                                                                        had attended annual security\n                                                                                        awareness training.\n\n                                            DFAS-Arlington                              DFAS-Arlington                       DFAS-Arlington\n                                            DDRS has a DDRS Rules of Behavior           Inspected all 18 Rules of            Although security awareness\n                                            document. DDRS users must sign that         Behavior forms to confirm that       training was performed, there was\n                                            they have reviewed and agreed to the        forms were on file for the DDRS      no documented process in place\n                                            rules in order to gain access to DDRS.      PMO staff.                           for tracking that security\n                                            Additionally, security awareness                                                 awareness training occurred and\n                                            training for DFAS-Arlington is handled      Confirmed, through inquiry of        that DFAS personnel completed\n                                            through a community page via ePortal.       the Information Assurance            the training.\n                                            A database is in development to allow       Manager, the process DFAS-\n                                            for better tracking of security awareness   Arlington maintained for\n                                            training completion.                        security awareness training.\n\n 8    An incident response capability has   DISA DECC-Ogden                             DISA DECC-Ogden                      DISA DECC-Ogden\n      been implemented.                     The DISA Regional Computer                  Confirmed through inspection         No relevant exceptions noted\n                                            Emergency Response Team located at          that the incident plan included in\n                                            Scott Air Force Base, IL is responsible     the DISA DECC-Ogden SSAA\n                                            for monitoring the intrusion detection      had been implemented. No\n                                            system. This system governs                 random sample of items was\n                                            DISA DECC-Ogden. Additional                 selected for testing because there\n                                            controls are in place to confirm that       were no incidents involving\n                                            authorized and unauthorized network         DDRS during our testing period.\n                                            access is monitored through\n                                            TCP_Wrapper and Klaxon or Banshee.          Confirmed through inquiry of\n                                            Host based Intrusion Detection System,      the Information Assurance\n                                            Symantec Enterprise Security Manager,       Manager that a process was in\n                                            and Intruder Alert is installed on all      place for reporting computer\n                                            UNIX servers. If an incident occurs, an     security incidents.\n\n                                                                            37\n\x0cCO\n               Control Objective                          Control Activity                         Test Procedure                      Results of Testing\nNo.\n                                               e-mail is sent to the Information\n                                               Assurance Officer and a report of the\n                                               incident is drafted and sent to the\n                                               appropriate personnel. Remedial action\n                                               is then taken.\n\n\n                                               DFAS-Arlington                              DFAS-Arlington                       DFAS-Arlington\n                                               DFAS has an incident response team          Confirmed through inspection         No relevant exceptions noted.\n                                               that incidents are reported to. DDRS        that the incident plan included in\n                                               has an incident response plan that is       the DDRS SSAA had been\n                                               posted on the DDRS web site. The            implemented. No random\n                                               DDRS Rules of Behavior informs users        sample of items was selected for\n                                               of the incident response plan. The          testing because there were no\n                                               incident response plan is posted on the     incidents involving DDRS\n                                               DDRS web site at DFAS-                      during our testing period.\n                                               CERT@DFAS.MIL.\n                                                                                           Inspected all 18 Rules of\n                                                                                           Behavior forms to confirm that\n                                                                                           forms were on file for the DDRS\n                                                                                           PMO staff.\n\n 9    Hiring, transfer, termination, and       DISA DECC-Ogden                             DISA DECC-Ogden                      DISA DECC-Ogden\n      performance policies address security.   To ensure DISA DECC-Ogden is                Read the hiring, transfer,           Seven of nine SAAR forms\n                                               operated and continues to be maintained     termination, and performance         inspected did not have the\n                                               in a secure, controlled manner such that    policies of DISA DECC-Ogden          signatures of the Information\n                                               its data and other connected systems are    to confirm they were                 Assurance Officer on the SAAR\n                                               appropriately protected; the following      documented.                          form.\n                                               personnel controls have been\n                                               implemented:                                Inspected all nine SAAR forms        One System Administrator did not\n                                                -National Agency Check personal            to confirm that a form was on        have a SAAR form on file.\n                                               security investigations are performed for   file for all System                  Additionally, access had not been\n                                               all functional users (civilian, military,   Administrators with access to        removed for that user in a timely\n                                               and contractors), as a minimum.             the DDRS Operating System.           manner. This user\xe2\x80\x99s access was\n                                                -Specified system and application                                               subsequently deleted because he\n                                               permissions are granted that only allow     Confirmed though inquiry that a      no longer required access to\n                                               access to required, need-to-know            DISA DECC-Ogden employee             DDRS.\n                                               information.                                was debriefed upon termination\n\n                                                                               38\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                      Results of Testing\nNo.\n                           -Specific DECC system training is          of employment and that a DISA\n                          performed.                                  Form 70 was used to document\n                           -System Authorization Access Request       the collection of\n                          (SAAR) forms are completed for all          DISA DECC-Ogden property.\n                          DECC system users.\n                           -Registration of all users by DECC         Confirmed through observation\n                          System Administrators, Information          that an e-mail had been sent to\n                          Assurance Officer, or the specific data     the System Administrator to\n                          owners is performed.                        request that system access be\n                           -Unique User ID and passwords are          removed for a terminated\n                          required for all users.                     employee.\n                           -Initial and refresher Information\n                          Security training is conducted.             Inspected annual security\n                                                                      awareness training sign-in sheets\n                          Individuals requiring access to sensitive   for nine DISA DECC-Ogden\n                          information are processed for access        employees to confirm that each\n                          authorization.                              had completed security\n                                                                      awareness training.\n                          Only individuals who have a valid need-\n                          to-know are granted access.\n\n                          Comprehensive account management\n                          process is implemented to ensure only\n                          authorized users can gain access.\n\n                          DFAS-Arlington                              DFAS-Arlington                      DFAS-Arlington\n                          DFAS has agency-wide policies and           Confirmed through inquiry that      Three of 18 SAAR forms did not\n                          procedures in place for the hiring,         agency-wide policies and            document justification for access\n                          transfer, and termination; and policies     procedures were available for       completed; another three of 18 did\n                          that address security clearance             the hiring, transfer, and           not document type of system\n                          requirements. Additionally, the DDRS        termination of DFAS personnel.      access.\n                          SSAA documents personnel screening\n                          requirements. Only personnel who have       Inspected all 18 SAAR forms to\n                          undergone the prescribed background         confirm that each form\n                          investigation, commensurate with the        contained the justification for\n                          designated position sensitivity, are        access, security clearance level,\n                          granted access to DFAS information.         and was properly approved.\n                          The DFAS Human Resources Office\n\n                                                          39\n\x0cCO\n              Control Objective                     Control Activity                        Test Procedure                       Results of Testing\nNo.\n                                         oversees the activities required for\n                                         processing security clearance when\n                                         necessary system-level privileges will\n                                         be issued to DDRS users based on\n                                         assigned roles and responsibilities.\n\n                                         Only individuals who have a valid need-\n                                         to-know are granted access.\n                                         A comprehensive account management\n                                         process has been implemented to ensure\n                                         only authorized users can gain access.\n\n10    Employees have adequate training   DISA DECC-Ogden                            DISA DECC-Ogden                      DISA DECC-Ogden\n      and expertise.                     Training is conducted on a recurring       Confirmed through inquiry that       The System Administrator training\n                                         basis using a variety of methods such as   employees had training and           was outdated.\n                                         e-mail, Commanders Call, one-on-one        expertise necessary to perform\n                                         training sessions, as well as block        their job responsibilities.\n                                         briefings. Personnel are scheduled for\n                                         specific training on the Operating         Read System Administrator\n                                         Systems and Administrative software        training materials to confirm that\n                                         for the systems within                     they provided the System\n                                         DISA DECC-Ogden on an as needed            Administrators with training and\n                                         basis. All security-type training is       expertise necessary to perform\n                                         reported monthly to the Field Security     their job responsibilities.\n                                         Office.\n                                                                                    Inspected a random sample of\n                                                                                    training records to confirm that\n                                                                                    the System Administrators had\n                                                                                    completed the required Level 1\n                                                                                    or Level 2 training.\n\n                                         DFAS-Cleveland                             DFAS-Cleveland                       DFAS-Cleveland\n                                         Every DFAS-Cleveland software              Confirmed through inquiry that       The technical training program had\n                                         developer is trained in the use of         employees had training and           not been documented.\n                                         software development tools. DFAS           expertise necessary to perform       Additionally, there was no\n                                         Human Resources uses a training            their job responsibilities.          documentation available listing all\n                                         tracking system to track the completion                                         technical training available to staff.\n                                         of training. Supervisors and employees\n\n                                                                        40\n\x0cCO\n              Control Objective                         Control Activity                         Test Procedure                      Results of Testing\nNo.\n                                            coordinate annually to prepare               Confirmed through inquiry of\n                                            Individual Training Plans.                   the training manager that a\n                                                                                         training process was in place for\n                                                                                         DFAS-Cleveland DDRS staff.\n\n                                                                                         Inspected Individual\n                                                                                         Development Plans to confirm\n                                                                                         that a plan was on file for\n                                                                                         DFAS-Cleveland DDRS staff.\n\n                                            DFAS-Indianapolis                            DFAS-Indianapolis                    DFAS-Indianapolis\n                                            There are training requirements for          Confirmed through inquiry that       No relevant exceptions noted.\n                                            individuals at a system administrator        employees had the training and\n                                            level. The technical training                expertise necessary to perform\n                                            requirements for the system                  their job.\n                                            administrators are broken out by\n                                            different levels to include: Levels I, II,   Confirmed through inquiry of\n                                            and III. The supervisor determines the       the training manager that a\n                                            category or level that their system          process was in place for training\n                                            administrators should have.                  DFAS-Indianapolis DDRS staff.\n\n                                                                                         Inspected all six training records\n                                                                                         to confirm that DDRS DBAs\n                                                                                         had completed the required\n                                                                                         Level I, Level II, or Level III\n                                                                                         training.\n\n11    A program is implemented to confirm   DISA DECC-Ogden                              DISA DECC-Ogden                      DISA DECC-Ogden\n      that upon arrival and periodically    Each new employee and contactor is           Read the security awareness          No relevant exceptions noted.\n      thereafter, all personnel receive     provided with a security briefing (they      briefing used to provide training\n      training and familiarization to       must also sign that they have received       for new employees at\n      perform their assigned Information    this briefing). This briefing is provided    DISA DECC-Ogden.\n      Assurance responsibilities.           annually. New employees and\n                                            contractors are also required to take the    Inspected 17 training records to\n                                            mandatory CD-ROM-based security              confirm that employees had\n                                            courses and associated tests to be           completed the necessary security\n                                            certified as an ADP Level I or Level II      awareness training.\n                                            before access is allowed to the systems.\n\n                                                                              41\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                     Results of Testing\nNo.\n\n                          DFAS-Arlington                            DFAS-Arlington                     DFAS-Arlington\n                          Each new employee and contractor is       Confirmed through inquiry of       Although security awareness\n                          provided with a security briefing. They   the Information Assurance          training was performed, there was\n                          must also sign that they have received    Manager the process DFAS-          no documented process in place to\n                          this briefing before they are granted     Arlington maintains for security   track whether security awareness\n                          access to DDRS. This briefing is posted   awareness training.                training was completed.\n                          on the ePortal so that each DFAS user\n                          can repeat the briefing annually.\n\n                          DFAS-Cleveland                            DFAS-Cleveland                     DFAS-Cleveland\n                          Each new DFAS-Cleveland employee          Read the Security Awareness        Training materials were outdated\n                          and contractor has been provided with a   Training briefing charts           and there was no completion\n                          security briefing (they must also sign    provided by DFAS-Cleveland.        notification sent to the Information\n                          that they have received this briefing).                                      Assurance Manager or reviewed\n                          This briefing was provided online.        Inspected a random sample of 34    by the Information Assurance\n                                                                    DFAS-Cleveland employees to        Manager for new employees.\n                                                                    confirm the completion of the\n                                                                    necessary security training and    Five of 34 Technology Services\n                                                                    that the required signoff          Organization (TSO) personnel\n                                                                    signatures had been obtained.      randomly sampled had not\n                                                                                                       completed security awareness\n                                                                                                       training.\n\n                          DFAS-Indianapolis                         DFAS-Indianapolis                  DFAS-Indianapolis\n                          Mandatory security awareness training     Read the Security Awareness        No relevant exceptions noted.\n                          is conducted for all government           Training briefing charts\n                          employees and contractors. A record is    provided by DFAS-Indianapolis.\n                          kept of each attendee, as well as the\n                          specific training and dates attended.     Inspected all eight training\n                                                                    records to confirm that the\n                                                                    necessary security training had\n                                                                    been completed and that\n                                                                    employees had signed off on the\n                                                                    training.\n\n\n\n\n                                                         42\n\x0cCO\n               Control Objective                        Control Activity                         Test Procedure                     Results of Testing\nNo.\n12    Management periodically assesses the   DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      appropriateness of security policies   Automated SRR scripts are run on each       Read the February 2004 Risk         No relevant exceptions noted.\n      and compliance with them.              server and reported to the Montgomery       Assessment that was performed\n                                             SRR database weekly. Each system has        with the DITSCAP to confirm\n                                             a SRR and an Information Security           that risks were periodically\n                                             System scan before it is connected to the   assessed.\n                                             network. The DISA DECC-Ogden\n                                             Field Security Office runs periodic         Observed the SRR process to\n                                             SRRs and Information Security System        confirm that it occurred and that\n                                             scans. DISA DECC-Ogden conducts             corrective actions were tracked.\n                                             reviews of the SSAA, which includes         Inspected a single SRR\n                                             the operation facility environmental risk   performed by\n                                             assessment that is renewed and              DISA DECC-Ogden and\n                                             reviewed annually.                          inspected the Vulnerability\n                                                                                         Management System report to\n                                                                                         confirm findings identified by\n                                                                                         the SRR process had been\n                                                                                         addressed.\n\n                                                                                         Read the DISA DECC-Ogden\n                                                                                         SSAA to confirm it had been\n                                                                                         documented, updated, and\n                                                                                         appropriately approved.\n\n                                             DFAS-Arlington                              DFAS-Arlington                      DFAS-Arlington\n                                             Every three years, management reviews       Read the Risk Assessment dated      No relevant exceptions noted.\n                                             and assesses the DDRS application           June 28, 2002 that was\n                                             security policies and compliance with       performed during the DITSCAP\n                                             them during the DITSCAP review              process to confirm that risks\n                                             process.                                    were periodically assessed.\n\n                                                                                         Read the DDRS SSAA to\n                                                                                         confirm it had been documented,\n                                                                                         updated, and appropriately\n                                                                                         approved.\n\n\n\n\n                                                                             43\n\x0cCO\n               Control Objective                        Control Activity                        Test Procedure                     Results of Testing\nNo.\n13    Management ensures that corrective     DISA DECC-Ogden                            DISA DECC-Ogden                     DISA DECC-Ogden\n      actions are effectively implemented.   Corrective actions are tracked with the    Observed the SRR process to         No relevant exceptions noted.\n                                             Vulnerability Management System and        confirm that it occurred and that\n                                             the Information Assurance Vulnerability    corrective actions were tracked.\n                                             Alert process to track and maintain        Inspected a single SRR\n                                             system vulnerability status.               performed by\n                                             DISA DECC-Ogden also utilizes Secure       DISA DECC-Ogden and\n                                             Technical Implementation Guides            inspected the Vulnerability\n                                             (STIGs), Information Assurance             Management System reports to\n                                             Support Environment, Field Security        confirm findings identified by\n                                             Office, and weekly SRRs to ensure          the SRR process had been\n                                             compliance with DISA policies.             addressed.\n\n                                             DFAS-Arlington                             DFAS-Arlington                      DFAS-Arlington\n                                             Management follows up when                 Confirmed through inquiry that      No relevant exceptions noted.\n                                             corrective actions are identified. After   there was a process in place for\n                                             each audit an action plan is developed     tracking findings and corrective\n                                             for resolution of any issues. DFAS         actions for DFAS-Arlington.\n                                             Information Technology follows up on\n                                             and tracks the status of CFO audits.\n                                             DFAS Internal Review follows up on\n                                             internal audits and tracks issue\n                                             resolution. The DFAS Acquisition\n                                             Management Organization is developing\n                                             a master tracking system covering all\n                                             Acquisition Management Organization\n                                             program issues.\n\n14    A comprehensive vulnerability          DISA DECC-Ogden                            DISA DECC-Ogden                     DISA DECC-Ogden\n      management process that includes the   Corrective actions are accomplished        Read the risk assessment dated      No relevant exceptions noted.\n      systematic identification and          through the Vulnerability Management       February 20, 2004, that was\n      mitigation of software and hardware    System, Information Assurance              performed with the DITSCAP\n      vulnerabilities is in place.           Vulnerability Alert process to track and   process to confirm that risks\n                                             maintain system vulnerability status.      were periodically assessed.\n                                             Additionally, Automated SRR scripts\n                                             are run on each server and reported to     Observed the SRR process to\n                                             the Montgomery SRR database on a           confirm that corrective actions\n                                             weekly basis. Each system has a            were implemented for identified\n\n                                                                             44\n\x0cCO\n      Control Objective               Control Activity                         Test Procedure                      Results of Testing\nNo.\n                          Security Readiness and an Information        SRR findings.\n                          Security System scan before it is\n                          connected to the network. The                Inspected a single SRR and\n                          DISA DECC-Ogden Field Security               inspected the Vulnerability\n                          Office runs periodic SRRs and                Management System reports to\n                          Information Security System scans.           confirm findings identified by\n                          This is covered through the periodic         the SRR process had been\n                          compliance review of UNIX STIG.              addressed.\n                          DISA DECC-Ogden conducts a review\n                          of the SSAA, which includes the\n                          operation facility environmental risk\n                          assessment on an annual basis.\n\n                          DFAS-Cleveland                               DFAS-Cleveland                      DFAS-Cleveland\n                          A Software Quality Assurance Plan and        Read the DDRS Software              The following exceptions were\n                          Software Process Improvement Plan are        Quality Assurance Plan and          noted during our testing of all six\n                          in place for the systematic identification   Software Process Improvement        DDRS-AFS module releases. We\n                          and mitigation of software                   Plan to confirm that they existed   noted the following missing\n                          vulnerabilities.                             and were approved by                elements: FRR SQA Presence;\n                                                                       management.                         Function Requirements Review\n                                                                                                           Statement of Agreement; Test\n                                                                       Inspected all six DDRS-AFS          Readiness Review and Systems\n                                                                       releases to confirm that DFAS-      Integration Testing Checklist; Test\n                                                                       Cleveland developers were           Readiness Review and Systems\n                                                                       following their documented          Integration Testing Attendee List;\n                                                                       policies and procedures.            Test Readiness Review and\n                                                                                                           Systems Integration Testing Open\n                                                                                                           Item List; Test Readiness Review\n                                                                                                           and Systems Integration Testing\n                                                                                                           Statement of Agreement; Test\n                                                                                                           Readiness Review and Functional\n                                                                                                           Validation Testing Checklist; Test\n                                                                                                           Readiness Review and Functional\n                                                                                                           Validation Testing attendee list;\n                                                                                                           Test Readiness Review and\n                                                                                                           Functional Validation Testing\n                                                                                                           open item list; Test Readiness\n                                                                                                           Review and Functional Validation\n\n                                                           45\n\x0cCO\n              Control Objective                   Control Activity                      Test Procedure                   Results of Testing\nNo.\n                                                                                                                  Testing, Statement of Agreement;\n                                                                                                                  Functional Validation Testing\n                                                                                                                  Certification Form; Release\n                                                                                                                  Implementation Readiness Review\n                                                                                                                  Statement of Agreement; Post\n                                                                                                                  Implementation Readiness Review\n                                                                                                                  Signature; Final Physical\n                                                                                                                  Configuration Audit; and Final\n                                                                                                                  Functional Configuration Audit.\n\n15    Changes to the DoD information   DISA DECC-Ogden                          DISA DECC-Ogden                   DISA DECC-Ogden\n      system are assessed for IA and   As part of the DITSCAP process, the      Read the risk assessment dated    No relevant exceptions noted.\n      accreditation impact prior to    DISA DECC-Ogden Information              February 20, 2004, that was\n      implementation.                  Assurance Manager conducts and           performed with the DITSCAP\n                                       reviews the SSAA on an annual basis or   process to confirm that risks\n                                       when there is a major change.            were periodically assessed.\n                                       Additionally, Automated SRR scripts\n                                       are run on each server and reported to   Confirmed through inquiry with\n                                       the Montgomery SRR database on a         the Information Assurance\n                                       weekly basis. Each system has a SRR      Manager that the SSAA was\n                                       and an Information Security System       updated on an annual basis.\n                                       scan before it is connected to the\n                                       network. The DISA Field Security         Observed the SRR process to\n                                       Office runs periodic SRRs and            confirm that corrective actions\n                                       Information Security System scans.       were implemented for identified\n                                                                                SRR findings.\n\n                                                                                Inspected a single SRR and the\n                                                                                Vulnerability Management\n                                                                                System reports to confirm\n                                                                                findings identified by the SRR\n                                                                                process had been addressed.\n\n                                       DFAS-Arlington                           DFAS-Arlington                    DFAS-Arlington\n                                       The Information Assurance Officer        Confirmed through inquiry that    No relevant exceptions noted.\n                                       reviews all system changes for           the Information Assurance\n                                       Information Assurance impact prior to    Manager was involved in the\n                                       approval by the DDRS Configuration       Configuration Change Board\n\n                                                                     46\n\x0cCO\n               Control Objective                      Control Activity                       Test Procedure                     Results of Testing\nNo.\n                                           Change Board. The DDRS application        and assessed the DDRS changes\n                                           security risks are randomly sampled and   for their impact on information\n                                           analyzed every three years. These risks   assurance.\n                                           are reported to DFAS Information\n                                           Assurance management, and are             Confirmed through inquiry with\n                                           considered for accreditation and re-      the Information Assurance\n                                           accreditation every three years.          Manager that the SSAA was\n                                                                                     updated every three years.\n                                                                                     Read the DDRS SSAA to\n                                                                                     confirm it had been documented,\n                                                                                     updated, and appropriately\n                                                                                     approved.\n\n16    A DoD reference document             DISA DECC-Ogden                           DISA DECC-Ogden                     DISA DECC-Ogden\n      constitutes the primary source for   As part of the DITSCAP process, the       Read the risk assessment dated      No relevant exceptions noted.\n      security configuration or            DISA DECC-Ogden Information               February 20, 2004, that was\n      implementation guidance for the      Assurance Manager conducts and            performed with the DITSCAP to\n      deployment of newly acquired IA-     reviews the SSAA on an annual basis or    confirm that risks were\n      and IA-enabled Information           when there is a major change.             periodically assessed.\n      Technology products.                 Additionally, Automated SRR scripts\n                                           are run on each server and reported to    Confirmed through inquiry with\n                                           the Montgomery SRR database on a          the Information Assurance\n                                           weekly basis. Each system has a SRR       Manager that the SSAA was\n                                           and an Information Security System        updated on an annual basis.\n                                           scan before it is connected to the\n                                           network. The DISA Field Security          Observed the SRR process to\n                                           Office runs periodic SRRs and             confirm that corrective actions\n                                           Information Security System scans.        were implemented for identified\n                                           This is covered through the periodic      SRR findings.\n                                           compliance review of Unix Security\n                                           Technical Implementation Guide.           Inspected a single SRR and the\n                                                                                     Vulnerability Management\n                                                                                     System reports to confirm\n                                                                                     findings identified by the SRR\n                                                                                     process had been addressed.\n                                                                                     Read the UNIX STIG and the\n                                                                                     DISA DECC-Ogden SSAA to\n                                                                                     confirm that they constituted the\n\n                                                                         47\n\x0cCO\n               Control Objective                        Control Activity                        Test Procedure                    Results of Testing\nNo.\n                                                                                        primary source configuration or\n                                                                                        implementation guidance for the\n                                                                                        deployment of newly acquired\n                                                                                        IA and IA-enabled products.\n      Access Controls\n17    Resource classifications and related   DFAS-Arlington                             DFAS-Arlington                     DFAS-Arlington\n      criteria have been established.        DoD Instruction 8500.2 states              Confirmed through inquiry of       No relevant exceptions noted.\n                                             (paraphrased): It is public information    the Information Assurance\n                                             if it has been formally reviewed and       Officer that DDRS data had\n                                             approved for public release in             been classified as sensitive but\n                                             accordance with DoD Directive 5230.9,      unclassified.\n                                             "Clearance of DoD Information for\n                                             Public Release," April 9, 1996. It is      Read the SSAA to confirm that\n                                             classified information if it has been      data had been classified as\n                                             specifically authorized under criteria     sensitive but unclassified.\n                                             established by Executive order or an Act\n                                             of Congress to be kept secret in the\n                                             interest of national defense or foreign\n                                             policy. Only an Originating\n                                             Classification Authority has the\n                                             authority to classify information and\n                                             DFAS does not have that authority.\n                                             Therefore, DFAS treats its information\n                                             as being classified only when it is\n                                             marked as such or when compiling\n                                             information as indicated by an existing\n                                             classification guide originating from\n                                             outside of DFAS. None of the data\n                                             contained within DDRS is classified or\n                                             cleared for public release; therefore\n                                             DDRS data is considered sensitive but\n                                             unclassified.\n\n\n\n\n                                                                            48\n\x0cCO\n               Control Objective                     Control Activity                        Test Procedure                     Results of Testing\nNo.\n18    Owners have classified resources.   DFAS-Arlington                             DFAS-Arlington                      DFAS-Arlington\n                                          DDRS does not contain or store             Confirmed through inquiry of        No relevant exceptions noted.\n                                          classified data. Final reports produced    the Information Assurance\n                                          by DDRS are often reviewed and             Officer that DDRS data had\n                                          approved for public release, but this      been classified as Sensitive But\n                                          process is performed outside DDRS.         Unclassified.\n                                          Financial Information processed and\n                                          stored by DDRS is processed and stored     Read the SSAA to confirm that\n                                          as Sensitive data in accordance with the   data had been assigned a\n                                          definition found in DoD 5200.1-R,          classification level of Sensitive\n                                          "Information Security Program,"            But Unclassified.\n                                          January 1997. Security audit reports\n                                          displaying user names are marked \xe2\x80\x9cFor\n                                          Official Use Only\xe2\x80\x9d in accordance with\n                                          DoD guidance on Privacy Act data.\n\n\n19    Resource owners have identified     DISA DECC-Ogden                            DISA DECC-Ogden                     DISA DECC-Ogden\n      authorized users and their access   There are three levels of privileged       Confirmed through inquiry of        Seven of nine SAAR forms\n      authorized.                         accounts for the DDRS Operating            the DDRS System Administrator       inspected did not have the\n                                          System. These levels are based on          the process for obtaining an        signature of the Information\n                                          need-to-know access rules. All users       administrator account on the        Assurance Officer on the SAAR\n                                          must fill out the SAAR form and have a     DDRS Operating System.              form.\n                                          Government official sign the form,\n                                          confirming need-to-know access.            Inspected all nine SAAR forms       One System Administrator did not\n                                                                                     to confirm that a form was on       have a SAAR form on file.\n                                                                                     file for all System                 Additionally, access had not been\n                                                                                     Administrators with access to       removed for that user in a timely\n                                                                                     the DDRS Operating System.          manner. This user\xe2\x80\x99s access was\n                                                                                                                         subsequently deleted because he\n                                                                                                                         no longer required access to\n                                                                                                                         DDRS.\n\n\n\n\n                                                                         49\n\x0cCO\n      Control Objective             Control Activity                       Test Procedure                      Results of Testing\nNo.\n                          DFAS-Arlington                           DFAS-Arlington                      DFAS-Arlington\n                          The DDRS Functional Data Owners          Confirmed through inquiry of        Three of 18 SAAR forms did not\n                          identify and establish the authorized    the Information Assurance           document justification for access;\n                          DDRS users by signing the SAAR form.     Officer the process for obtaining   another three of 18 did not\n                          The database administrators will not     a user account on DDRS.             document type of system access.\n                          accept a new user request unless it is\n                          from a Functional Data Owner.            Inspected all 18 SAAR forms to      One of 22 CMIS PMO users had\n                                                                   confirm that a form was on file     access to roles that were not\n                                                                   for the DDRS PMO staff with         required for his duties.\n                                                                   access to DDRS.                     Seven of 22 CMIS PMO users\n                                                                                                       were former DDRS PMO staff, but\n                                                                   Inspected all 22 access forms to    their access to CMIS had not been\n                                                                   confirm that a form was on file     terminated.\n                                                                   for PMO staff with access to the\n                                                                   CMIS.\n\n                          DFAS-Cleveland                           DFAS-Cleveland                      DFAS-Cleveland\n                          Cleveland Management has identified      Confirmed the process for           There were no forms used to track\n                          and authorized Configuration             recording access to the CMIS,       PVCS access.\n                          Management Information System            the PVCS, and the Oracle\n                          (CMIS), Program Version Control          Versioning application through\n                          System (PVCS) and Oracle Versioning      inquiry of the following DDRS\n                          users and their access has been          personnel: DDRS Configuration\n                          documented and approved. CMIS is         Manager; PVCS; Configuration\n                          used by PMO staff to track system        Manager; and DDRS Budgetary\n                          changes made to DDRS.                    Module Team Lead.\n\n                                                                   Inspected CMIS access forms to\n                                                                   confirm that a form was on file\n                                                                   for the 33 DDRS development\n                                                                   staff with access to the CMIS.\n\n                                                                   Inspected all 31 6i\n                                                                   Repository User Access Forms\n                                                                   to confirm that a form was on\n                                                                   file for the DDRS development\n                                                                   staff with access to the Oracle\n                                                                   Versioning System.\n\n                                                       50\n\x0cCO\n              Control Objective                   Control Activity                         Test Procedure                     Results of Testing\nNo.\n\n                                                                                   Requested access forms to\n                                                                                   confirm that a form was on file\n                                                                                   for DDRS development staff\n                                                                                   with access to the PVCS.\n\n                                       DFAS-Indianapolis                           DFAS-Indianapolis                  DFAS-Indianapolis\n                                       DDRS Database Administrator (DBA)           Inquired of the DDRS Project       One of six SAAR forms for DBAs\n                                       access to production servers is             Manager and the lead DBA of        did not have the justification for\n                                       documented through a SAAR form.             the process for granting DBAs      access completed on the SAAR\n                                       These forms are maintained by               access to DDRS.                    form.\n                                       DISA DECC-Ogden.\n                                                                                   Inspected all six SAAR forms to    None of the six SAAR forms\n                                                                                   confirm that a form was on file    inspected for DBAs had the\n                                                                                   for the DBAs with access to        signatures of the Functional Data\n                                                                                   DDRS.                              Owner and Information Assurance\n                                                                                                                      Officer.\n                                                                                   Inquired of the end user account\n                                                                                   administrator regarding DDRS       One of six DBAs approved his\n                                                                                   end user account creation,         own SAAR form.\n                                                                                   modification, deletion, and\n                                                                                   password reset process.\n\n20    Emergency and temporary access   DISA DECC-Ogden                             DISA DECC-Ogden                    DISA DECC-Ogden\n      authorization is controlled.     DISA DECC-Ogden has not issued              Confirmed through inquiry of       No relevant exceptions noted.\n                                       emergency and temporary access              the System Administrator the\n                                       authorization to the DDRS Operating         process for obtaining an\n                                       System over the past year. If a vendor      administrator account on the\n                                       needs to make a change to the Operating     DDRS Operating System.\n                                       System, the DDRS system\n                                       administrators will complete the            Confirmed with the System\n                                       required actions with the vendor present.   Administrator that the vendor\n                                                                                   was present when changes were\n                                                                                   made.\n\n\n\n\n                                                                       51\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                     Results of Testing\nNo.\n                          DFAS-Arlington                              DFAS-Arlington                      DFAS-Arlington\n                          If an emergency or temporary account is     Confirmed through inquiry of        No relevant exceptions noted.\n                          needed, the individual must complete        the Information Assurance\n                          the user access request SAAR form.          Officer the process for obtaining\n                                                                      an emergency or temporary\n                          Emergency or temporary access is            DDRS administrator account\n                          controlled using the same controls as\n                          normal access, but with a higher\n                          priority. If a non-user has an urgent\n                          DDRS data request, they must ask an\n                          authorized DDRS user to produce it for\n                          them.\n\n\n                          DFAS-Cleveland                              DFAS-Cleveland                      DFAS-Cleveland\n                          DFAS-Cleveland does not grant               Confirmed through inquiry of        No relevant exceptions noted.\n                          emergency or temporary access to the        DDRS Configuration Manager,\n                          PVCS, Oracle Versioning application,        PVCS Configuration Manager,\n                          and CMIS.                                   and DDRS Budgetary Module\n                                                                      Team Lead the process for\n                                                                      recording access to the CMIS,\n                                                                      the PVCS, and the Oracle\n                                                                      Versioning application.\n\n                          DFAS-Indianapolis                           DFAS-Indianapolis                   DFAS-Indianapolis\n                          Emergency access for a new account is       Inquired of the DDRS Project        No relevant exceptions noted.\n                          rarely, if ever granted. There are some     Manager and the lead DBA of\n                          emergency resets of existing account        the process for obtaining\n                          passwords that are handled by the           emergency or temporary DBA\n                          Technology Services Organization            access to DDRS.\n                          Mid-tier Support Team. Temporary\n                          access is authorized for limited\n                          capability on demonstrations and\n                          specific software for a limited amount of\n                          time. This access is with government\n                          personnel supervising or assisting for\n                          the period of the demonstration only.\n\n\n                                                          52\n\x0cCO\n               Control Objective                       Control Activity                         Test Procedure                      Results of Testing\nNo.\n21    Owners determine disposition and      DFAS-Arlington                              DFAS-Arlington                       DFAS-Arlington\n      sharing of data.                      Access to and sharing of data within        Confirmed through inquiry of         No relevant exceptions noted.\n                                            DDRS is controlled by user roles and        the Information Assurance\n                                            work areas. Work areas restrict user        Officer that DDRS data had\n                                            access to specific data subsets based on    been classified as sensitive but\n                                            their organizational responsibility.        unclassified and confirmed the\n                                            Functional Data Owners at the DDRS          lack of automated system\n                                            PMO are responsible for maintaining         interfaces.\n                                            the user roles and work areas within\n                                            DDRS in accordance with approved            Read the SSAA to confirm that\n                                            SAAR forms.                                 data had been assigned a\n                                                                                        classification level of sensitive\n                                                                                        but unclassified and that there\n                                                                                        were no automated system\n                                                                                        interfaces.\n\n22    Adequate physical security controls   DISA DECC-Ogden                             DISA DECC-Ogden                      DISA DECC-Ogden\n      have been implemented.                Each individual must first gain access to   Observed the physical                No relevant exceptions noted.\n                                            Hill Air Force Base, UT. Then the           safeguards in place for\n                                            individual has to pass through a guard at   DISA DECC-Ogden.\n                                            the front desk where proper\n                                            identification must be displayed to allow   Observed that facility\n                                            the individual access to the Data Center.   penetration testing processes\n                                            To enter the Data Center, an individual     were in place that included\n                                            must have a swipe badge with the            periodic, unannounced attempts\n                                            appropriate level of access.                to penetrate key computing\n                                                                                        facilities. Additionally, observed\n                                                                                        that every physical access point\n                                                                                        that displayed sensitive\n                                                                                        information or unclassified\n                                                                                        information that had not been\n                                                                                        cleared for release was\n                                                                                        controlled during business hours\n                                                                                        and guarded or locked during\n                                                                                        non-business hours.\n\n\n\n\n                                                                            53\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                       Results of Testing\nNo.\n                          DFAS-Arlington                            DFAS-Arlington                       DFAS-Arlington\n                          Access to DFAS-Arlington is controlled    Observed the physical                No relevant exceptions noted.\n                          using building identification badges      safeguards in place for\n                          such as the Pentagon or CM3 badge.        DFAS-Arlington.\n                          Security guards at the entrance enforce\n                          the use of badges.                        Interviewed building security\n                                                                    personnel to confirm that\n                                                                    appropriate physical security\n                                                                    controls had been implemented.\n\n                                                                    Inspected the Access Procedures\n                                                                    Crystal Mall policies in place for\n                                                                    controlling access to\n                                                                    DFAS-Arlington.\n\n                          DFAS-Cleveland                            DFAS-Cleveland                       DFAS-Cleveland\n                          DFAS-Cleveland is a tenant of a           Observed the physical                There were no documented\n                          government-shared public building         safeguards in place for DFAS-        DFAS-specific visitor policies in\n                          employing security guards and metal       Cleveland.                           place and there were inadequate\n                          detectors at the entrance.                                                     physical security controls to\n                                                                    Interviewed building security        restrict access to the DDRS\n                                                                    personnel to confirm that            developer workspace.\n                                                                    appropriate physical security\n                                                                    controls had been implemented.\n\n                          DFAS-Indianapolis                         DFAS-Indianapolis                    DFAS-Indianapolis\n                          General Services Administration and       Observed the physical                No relevant exceptions noted.\n                          Homeland Security have complete           safeguards in place for DFAS-\n                          control over facility access by all       Indianapolis.\n                          individuals. A metal detector is\n                          employed to screen all individuals and    Interviewed building security\n                          their baggage on entering the facility.   personnel to conform that\n                                                                    required physical security\n                                                                    controls had been implemented.\n\n\n\n\n                                                          54\n\x0cCO\n               Control Objective                         Control Activity                         Test Procedure                     Results of Testing\nNo.\n23    Physical safeguards have been          DISA DECC-Ogden                              DISA DECC-Ogden                     DISA DECC-Ogden\n      established that are commensurate      Each individual must first gain access to    Confirmed that facility             No relevant exceptions noted.\n      with the risks of physical damage or   Hill Air Force Base, UT. During              penetration testing processes\n      access.                                normal duty hours, visitors are              were in place that included\n                                             controlled by a person posted in the         periodic, unannounced attempts\n                                             lobby. Entry is also controlled for          to penetrate key computing\n                                             computer rooms. Building 891 is a one-       facilities. Further, every\n                                             story structure. There are nine entry and    physical access point that\n                                             exit points. All are locked or controlled.   displayed sensitive but\n                                             The facility contains 142,792 square         unclassified information that had\n                                             feet. The building uses commercial           not been cleared for release was\n                                             power. In the event of a commercial          controlled during business hours\n                                             power failure, the building can operate      and guarded or locked during\n                                             by using the Uninterruptible Power           non-business hours.\n                                             Source, supplemented by backup\n                                             generators, which ensures continued          Observed that the DDRS Data\n                                             operation. The facility has 1,200 tons       Center was protected by fire\n                                             cooling capacity.                            suppression and these prevention\n                                                                                          devices were installed and\n                                                                                          working. Observed that there\n                                                                                          was an Uninterruptible Power\n                                                                                          Source and that the cooling\n                                                                                          system was maintained.\n\n                                                                                          Confirmed that\n                                                                                          DISA DECC-Ogden contained a\n                                                                                          master power override switch to\n                                                                                          stop the power flow to\n                                                                                          Information Technology\n                                                                                          equipment and that the master\n                                                                                          power override switch was\n                                                                                          optimally located at the entrance\n                                                                                          of the data center and clearly\n                                                                                          labeled.\n\n\n\n\n                                                                             55\n\x0cCO\n               Control Objective                Control Activity                           Test Procedure                       Results of Testing\nNo.\n24    Visitors are controlled.     DISA DECC-Ogden                                 DISA DECC-Ogden                      DISA DECC-Ogden\n                                   Each visitor to the DISA DECC-Ogden             Read the visitor policy and          No relevant exceptions noted.\n                                   facility must first gain access to Hill Air     procedure for\n                                   Force Base, UT. Then the visitor must           DISA DECC-Ogden to confirm\n                                   pass by a guard at the front desk where         they were documented.\n                                   the visitor must sign the visitor control       Observed the visitor check-in\n                                   log. Next, an employee of the Data              and check-out process for\n                                   Center must sign the visitor control log        DISA DECC-Ogden.\n                                   as escort for the visitor. Additionally,\n                                   the visitor must be issued and wear a           Confirmed through inquiry and\n                                   temporary badge at all times while              observation that visitor access to\n                                   inside the Data Center. Finally, when           DoD information was\n                                   the visitor exits the facility, the visitor\'s   determined by both its\n                                   badge must be returned to the front             classification and user need-to-\n                                   desk.                                           know.\n\n                                                                                   Inspected 45 visitor request\n                                                                                   letters to verify they existed and\n                                                                                   were maintained.\n\n                                   DFAS-Arlington                                  DFAS-Arlington                       DFAS-Arlington\n                                   Visitors to DFAS-Arlington must have a          Read the visitor policy and          No relevant exceptions noted.\n                                   visitor\'s badge and must have an escort         procedure for DFAS-Arlington\n                                   depending on the type of identification         to confirm they were\n                                   provided to the security guards.                documented. Observed the\n                                                                                   visitor check-in and check-out\n                                                                                   process for DFAS-Arlington.\n                                                                                   Confirmed through inquiry and\n                                                                                   observation that visitor access to\n                                                                                   DoD information was\n                                                                                   determined by its classification\n                                                                                   and user need-to-know.\n\n                                   DFAS-Cleveland                                  DFAS-Cleveland                       DFAS-Cleveland\n                                   Visitors to DFAS-Cleveland must have            Requested the visitor policy and     Five of 12 visitor request letters\n                                   a DoD Identification Badge or must be           procedure for DFAS-Cleveland         were missing. Additionally, there\n                                   escorted.                                       to confirm they were                 was not a DFAS specific visitor\n                                                                                   documented. Observed the             log and individuals were only\n\n                                                                      56\n\x0cCO\n               Control Objective                         Control Activity                          Test Procedure                       Results of Testing\nNo.\n                                                                                          visitor check in and check out        required to sign a general facility\n                                                                                          process for DFAS-Cleveland.           visitor\xe2\x80\x99s log when the individual\n                                                                                                                                did not have a photo ID.\n                                                                                          Confirmed through inquiry and\n                                                                                          observation that visitor access to\n                                                                                          DoD information was\n                                                                                          determined by both its\n                                                                                          classification and user need-to-\n                                                                                          know.\n\n                                                                                          Requested all 12 visitor request\n                                                                                          letters to verify that they existed\n                                                                                          and were being retained.\n\n                                              DFAS-Indianapolis                           DFAS-Indianapolis                     DFAS-Indianapolis\n                                              A valid ID must be displayed and            Read the visitor policy and           No relevant exceptions noted.\n                                              presented to the guard at each entry of     procedure for DFAS-\n                                              the building. If a person has no valid      Indianapolis to confirm they\n                                              identification, they are directed to the    were documented. Observed the\n                                              security office for issuance of a visitor   visitor check in and check out\n                                              badge. The visitor badge must be signed     process for DFAS-Indianapolis.\n                                              for by someone in the office being\n                                              visited and the visitor must be escorted    Confirmed through inquiry and\n                                              by that individual.                         observation that visitor access to\n                                                                                          DoD information is determined\n                                                                                          by its classification of the data\n                                                                                          and user need-to-know.\n\n                                                                                          Inspected visitor sign-in sheets\n                                                                                          to verify that they were being\n                                                                                          maintained.\n25    Adequate logical access controls have   DISA DECC-Ogden                             DISA DECC-Ogden                       DISA DECC-Ogden\n      been implemented at the application     To gain logical access to the DDRS          Confirmed through inquiry of          Seven of nine SAAR forms\n      and Operating System layer.             Operating System a user must have a         the DDRS System Administrator         inspected did not have the\n                                              valid User ID and password.                 the process for obtaining an          signature of the Information\n                                                                                          administrator account on the          Assurance Officer on the SAAR\n                                                                                          DDRS Operating System.                form.\n\n\n                                                                              57\n\x0cCO\n      Control Objective               Control Activity                       Test Procedure                      Results of Testing\nNo.\n                                                                     Inspected all nine SAAR forms       One System Administrator did not\n                                                                     to confirm that a form was on       have a SAAR form on file.\n                                                                     file for all System                 Additionally, access had not been\n                                                                     Administrators with access to       removed for that user in a timely\n                                                                     the DDRS Operating System.          manner. This user\xe2\x80\x99s access was\n                                                                                                         subsequently deleted because he\n                                                                                                         no longer required access to\n                                                                                                         DDRS.\n\n                          DFAS-Arlington                             DFAS-Arlington                      DFAS-Arlington\n                          To gain access to the DFAS-Arlington       Confirmed through inquiry of        Three of 18 SAAR forms did not\n                          Network, users must use a DoD              the Information Assurance           document justification for access;\n                          Common Access Card and pin number.         Officer the process for obtaining   another three of 18 did not\n                          Additionally, a user must have an          a user account on DDRS.             document type of system access\n                          authorized User ID and password to         Inspected all 18 SAAR forms to      One of 22 CMIS PMO users had\n                          gain access to the DDRS application.       confirm that a form was on file     access to roles that were not\n                                                                     for the DDRS PMO staff with         required for his duties.\n                                                                     access to DDRS.\n                                                                                                         Seven of 22 CMIS PMO users\n                                                                     Inspected all 22 access forms to    were former DDRS PMO staff, but\n                                                                     confirm that a form was on file     their access to CMIS had not been\n                                                                     for PMO staff with access to the    terminated.\n                                                                     CMIS.\n\n                          DFAS-Cleveland                             DFAS-Cleveland                      DFAS-Cleveland\n                          User authentication is required for        Confirmed through inquiry of        There were no forms used to track\n                          access to user workstations, and an        DDRS Configuration Manager,         PVCS access.\n                          additional authentication is required to   PVCS Configuration Manager,\n                          access the software development tools      and DDRS Budgetary Module\n                          PVCS, CMIS, and Oracle versioning.         Team Lead the process for\n                                                                     recording access to the CMIS,\n                                                                     the PVCS, and the Oracle\n                                                                     Versioning application.\n\n                                                                     Inspected CMIS access forms to\n                                                                     confirm that a form was on file\n                                                                     for the 33 DDRS development\n                                                                     staff with access to the CMIS.\n\n                                                           58\n\x0cCO\n               Control Objective                          Control Activity                         Test Procedure                     Results of Testing\nNo.\n\n                                                                                           Inspected all 31 6i Repository\n                                                                                           User Access Forms for DFAS-\n                                                                                           Cleveland DDRS staff members\n                                                                                           to confirm that a form was on\n                                                                                           file for the DDRS development\n                                                                                           staff with access to the Oracle\n                                                                                           Versioning System.\n\n                                                                                           Requested access forms to\n                                                                                           confirm that a form was on file\n                                                                                           for DDRS development staff\n                                                                                           with access to the PVCS.\n\n                                              DFAS-Indianapolis                            DFAS-Indianapolis                  DFAS-Indianapolis\n                                              Technology Services Organization             Inquired of the DDRS Project       One of six SAAR forms for DBAs\n                                              access to all systems is controlled either   Manager and the lead DBA on        did not have the justification for\n                                              through the Form 1018 (Mid-tier access       the process used for granting      access completed on the SAAR\n                                              request) or, for DISA platforms or           DBAs access to DDRS.               form.\n                                              applications, a SAAR form must be\n                                              completed and signed by the Functional       Inspected all six SAAR forms to    None of the six SAAR forms\n                                              Data Owner and supervisor and the            confirm that a form was on file    inspected for DBAs had the\n                                              Terminal Area Security Officer for           for DBAs with access to DDRS.      signatures of the Functional Data\n                                              access.                                                                         Owner and Information Assurance\n                                                                                           Inquired of the end user account   Officer.\n                                                                                           administrator regarding DDRS\n                                                                                           end user account creation,         One of six DBAs approved his\n                                                                                           modification, deletion, and        own SAAR form.\n                                                                                           password reset process.\n\n26    Passwords, tokens, or other devices     DISA DECC-Ogden                              DISA DECC-Ogden                    DISA DECC-Ogden\n      are used to identify and authenticate   To gain logical access to the DDRS           Confirmed through inquiry of       Password complexity could not be\n      users.                                  Operating System, a user must have a         the DDRS System Administrator      enforced on the Solaris platform,\n                                              correct User ID and password.                that passwords were used to        due to Operating System\n                                              Password parameters are as follows:          authenticate Operating System      limitations. Solaris was the\n                                               -Password must be at least 8 characters     users.                             Operating System used for DDRS.\n                                              in length, and\n                                               -Password must contain two of the\n\n                                                                               59\n\x0cCO\n               Control Objective                          Control Activity                         Test Procedure                   Results of Testing\nNo.\n                                               following three: at least one upper case,   Reviewed password setting\n                                               a number, or a special character (use @,    within Solaris for compliance\n                                               #, $, or _).                                with Security Technical\n                                                                                           Implementation Guide\n                                                                                           requirements.\n\n                                               DFAS-Arlington                              DFAS-Arlington                   DFAS-Arlington\n                                               A user ID and Password is required to       Confirmed through inquiry of     DDRS did not log users out after a\n                                               access DDRS.                                the DDRS Information             specified period of inactivity and\n                                                                                           Assurance Officer that           users were not automatically\n                                                                                           passwords were required to       prompted to change the initial\n                                                                                           authenticate DDRS end users.     generic password that they were\n                                                                                                                            issued.\n                                                                                           Reviewed DDRS password\n                                                                                           settings to confirm compliance\n                                                                                           with DoD Instruction 8500.2\n                                                                                           requirements.\n\n                                               DFAS-Indianapolis                           DFAS-Indianapolis                DFAS-Indianapolis\n                                               Workstation authentication is controlled    Confirmed through inquiry of     No relevant exceptions noted.\n                                               using Common Access Card smartcard          the end user account\n                                               Public Key Infrastructure tokens. All       administrator the process for\n                                               developer tools require a login using a     password resets and new user\n                                               user ID and password unique for the         password creation.\n                                               individual.\n                                                                                           Confirmed through inquiry of\n                                                                                           the end user account\n                                                                                           administrator that passwords\n                                                                                           were changed from default\n                                                                                           password settings.\n\n27    Access paths are identified as part of   DISA DECC-Ogden                             DISA DECC-Ogden                  DISA DECC-Ogden\n      a risk analysis and documented in an     The vast amount of information stored,      Confirmed through inquiry of     No relevant exceptions noted\n      access path diagram.                     processed, and transferred by the           the Lead Firewall Technician\n                                               Automated Information systems make          and Communications Chief that\n                                               them a lucrative target of a diverse,       an access path diagram existed\n                                               worldwide threat intent on compromise       and was current.\n                                               of data, corruption of data, and\n\n                                                                               60\n\x0cCO\n                Control Objective                         Control Activity                         Test Procedure                     Results of Testing\nNo.\n                                               disruption of service, or actual physical   Read network diagrams to\n                                               destruction. The threat is diverse in       confirm that they were accurate\n                                               source, motivation, sophistication,         and current.\n                                               technique, and time. It includes hackers\n                                               fascinated by technical challenge,          Read the DISA DECC-Ogden\n                                               foreign governments with military and       SSAA to confirm that logical\n                                               economic interest, disgruntled              access paths were identified and\n                                               employees, and unintentional software       approved by management.\n                                               errors. While the threat is\n                                               predominantly in the operational phase\n                                               of the system life cycle, it is present\n                                               throughout the system development and\n                                               system sustainment phases. Automated\n                                               Information systems frequently serve\n                                               users through direct and networked dial-\n                                               up connections. A logical network\n                                               diagram has been developed which\n                                               documents the access paths for DDRS.\n\n\n                                               DFAS-Arlington                              DFAS-Arlington                      DFAS-Arlington\n                                               Access paths are identified and             Confirmed through inquiry of        No relevant exceptions noted.\n                                               diagrammed in the DDRS SSAA.                the Information Assurance\n                                                                                           Manager that an access path\n                                                                                           diagram existed and was current.\n\n                                                                                           Read the DDRS SSAA to\n                                                                                           confirm that logical access paths\n                                                                                           were identified and approved by\n                                                                                           management.\n\n28    Access is restricted to data files and   DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      software programs.                       DISA DECC-Ogden creates user IDs            Confirmed through inquiry of        Seven of nine SAAR forms\n                                               and passwords as well as access levels      the DDRS System Administrator       inspected did not have the\n                                               as documented in the SAAR form.             the process for obtaining an        signature of the Information\n                                                                                           administrator account on the        Assurance Officer on the SAAR\n                                                                                           DDRS Operating System.              form.\n\n\n                                                                               61\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                      Results of Testing\nNo.\n\n                                                                    Inspected all nine SAAR forms       One System Administrator did not\n                                                                    to confirm that a form was on       have a SAAR form on file.\n                                                                    file for all System                 Additionally, access had not been\n                                                                    Administrators with access to       removed for that user in a timely\n                                                                    the DDRS Operating System.          manner. This user\xe2\x80\x99s access was\n                                                                                                        subsequently deleted because he\n                                                                                                        no longer required access to\n                                                                                                        DDRS.\n\n                          DFAS-Arlington                            DFAS-Arlington                      DFAS-Arlington\n                          Access to DDRS data and to any DDRS       Confirmed through inquiry of        Three of 18 SAAR forms did not\n                          program is restricted by using user       the Information Assurance           document justification for access;\n                          authentication. Access is restricted by   Officer the process for obtaining   another three of 18 did not\n                          the Functional Data Owners.               a user account on DDRS.             document type of system access.\n                          Individuals must have a requirement or\n                          need-to-know to access a specific         Inspected all 18 SAAR forms to      One of 22 CMIS PMO users had\n                          application. The access for each          confirm that a form was on file     access to roles that were not\n                          application or database is granted by     for the DDRS PMO staff with         required for his duties.\n                          Functional Data Owners.                   access to DDRS.\n\n                                                                    Inspected all 22 access forms to    Seven of 22 CMIS PMO users\n                                                                    confirm that a form was on file     were former DDRS PMO staff, but\n                                                                    for PMO staff with access to the    their access to CMIS had not been\n                                                                    CMIS.                               terminated.\n\n                          DFAS-Cleveland                            DFAS-Cleveland                      DFAS-Cleveland\n                          Configuration Control and Versioning      Confirmed the process for           There were no forms used to track\n                          control systems are in place throughout   recording access to the CMIS,       PVCS access.\n                          the development and implementation        the PVCS, and the Oracle\n                          process to ensure access control. These   Versioning application through\n                          systems are CMIS, PVCS, and Oracle        inquiry of the following DDRS\n                          Designer.                                 personnel: DDRS Configuration\n                                                                    Manager; PVCS Configuration\n                                                                    Manager; and DDRS Budgetary\n                                                                    Module Team Lead.\n\n\n\n                                                         62\n\x0cCO\n      Control Objective              Control Activity                      Test Procedure                     Results of Testing\nNo.\n                                                                   Inspected CMIS access forms to\n                                                                   confirm that a form was on file\n                                                                   for the 33 DDRS development\n                                                                   staff with access to the CMIS.\n\n                                                                   Inspected all 31 6i Repository\n                                                                   User Access Forms on DFAS-\n                                                                   Cleveland staff members to\n                                                                   confirm that a form was on file\n                                                                   for the DDRS development staff\n                                                                   with access to the Oracle\n                                                                   Versioning System.\n\n                                                                   Requested access forms to\n                                                                   confirm that a form was on file\n                                                                   for DDRS development staff\n                                                                   with access to the PVCS.\n\n\n                          DFAS-Indianapolis                        DFAS-Indianapolis                  DFAS-Indianapolis\n                          DBA Access is documented on the          Inquired of the DDRS Project       One of six SAAR forms for DBAs\n                          DISA Form 41 which is maintained by      Manager and the lead DBA of        did not have the justification for\n                          DISA Ogden and access is restricted to   the process for granting the       access completed on the SAAR\n                          development tools such as PVCS,          DBA access to DDRS.                form.\n                          Oracle Versioning, and CMIS.\n                                                                   Inspected all six SAAR forms to    None of the six SAAR forms\n                                                                   confirm that a form was on file    inspected for DBAs had the\n                                                                   for the DBAs with access to        signatures of the Functional Data\n                                                                   DDRS.                              Owner and Information Assurance\n                                                                                                      Officer.\n                                                                   Inquired of the end user account\n                                                                   administrator regarding DDRS       One of six DBAs approved his\n                                                                   end user account creation,         own SAAR form.\n                                                                   modification, deletion, and\n                                                                   password reset process for\n                                                                   DDRS.\n\n\n\n                                                        63\n\x0cCO\n               Control Objective                         Control Activity                         Test Procedure                      Results of Testing\nNo.\n29    Access settings have been              DISA DECC-Ogden                              DISA DECC-Ogden                     DISA DECC-Ogden\n      implemented in accordance with the     Ogden creates user IDs and passwords         Confirmed through inquiry of        Seven of nine SAAR forms did not\n      access authorizations established by   as well as access levels as documented       the DDRS System Administrator       have the signature of the\n      the resource owners.                   in the SAAR form.                            the process for obtaining an        Information Assurance Officer.\n                                                                                          administrator account on the\n                                                                                          DDRS Operating System.              One out of nine users did not have\n                                                                                                                              a SAAR form on file because the\n                                                                                          Inspected all nine SAAR forms       user no longer required access.\n                                                                                          to confirm that a form was on       However, the access had not been\n                                                                                          file for System Administrators      terminated. The user\'s access was\n                                                                                          with access to the DDRS             terminated after our testing.\n                                                                                          Operating System.\n\n                                             DFAS-Arlington                               DFAS-Arlington                      DFAS-Arlington\n                                             Each DDRS user has access restricted to      Confirmed through inquiry of        Three of 18 SAAR forms did not\n                                             specific data sets and functional roles as   the Information Assurance           document justification for access,\n                                             established by the Functional Data           Officer the process for obtaining   and another three did not\n                                             Owners.                                      a user account on DDRS.             document type of system access.\n\n\n                                                                                          Inspected all 18 SAAR forms to      One of 22 CMIS PMO users had\n                                                                                          confirm that a form was on file     access to roles that were not\n                                                                                          for the DDRS PMO staff with         required for his duties.\n                                                                                          access to DDRS.\n                                                                                                                              Seven of 22 CMIS PMO users\n                                                                                          Inspected all 22 CMIS access        were former DDRS PMO staff, but\n                                                                                          forms to confirm that an access     their access to CMIS had not been\n                                                                                          form was on file for PMO staff      terminated.\n                                                                                          having access to the CMIS.\n\n                                             DFAS-Cleveland                               DFAS-Cleveland                      DFAS-Cleveland\n                                             Configuration Control and Versioning         Confirmed the process for           There were no forms used to track\n                                             control systems are in place throughout      recording access to the CMIS,       PVCS access.\n                                             the development and implementation           the PVCS, and the Oracle\n                                             process to ensure access control. These      Versioning application through\n                                             systems are CMIS, PVCS, and Oracle           inquiry of the following DDRS\n                                             Designer.                                    personnel: DDRS Configuration\n                                                                                          Manager; PVCS Configuration\n\n                                                                              64\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                     Results of Testing\nNo.\n                                                                    Manager; and DDRS Budgetary\n                                                                    Module Team Lead.\n\n                                                                    Inspected CMIS access forms to\n                                                                    confirm that a form was on file\n                                                                    for the 33 DDRS development\n                                                                    staff with access to the CMIS.\n\n                                                                    Inspected all 31 6i Repository\n                                                                    User Access Forms on\n                                                                    DFAS-Cleveland DDRS staff\n                                                                    members to confirm that a form\n                                                                    was on file for the DDRS\n                                                                    development staff with access to\n                                                                    the Oracle Versioning System.\n\n                                                                    Requested access forms to\n                                                                    confirm that a form was on file\n                                                                    for DDRS development staff\n                                                                    with access to the PVCS.\n\n                          DFAS-Indianapolis                         DFAS-Indianapolis                  DFAS-Indianapolis\n                          DBA access is documented on the DISA      Inquired of the DDRS Project       One of six SAAR forms for DBAs\n                          Form 41 which is maintained by            Manager and the lead DBA of        did not have the justification for\n                          DISA DECC-Ogden and access is             the process for granting the       access completed on the SAAR\n                          restricted to development tools such as   DBA access to DDRS.                form.\n                          PVCS, Oracle Versioning, and CMIS.\n                                                                    Inspected all six SAAR forms to    None of the six SAAR forms\n                                                                    confirm that a form was on file    inspected for DBAs had the\n                                                                    for the DDRS DBAs with access      signature of the Functional Data\n                                                                    to DDRS.                           Owner and the Information\n                                                                                                       Assurance Officer.\n                                                                    Inquired of the end user account\n                                                                    administrator regarding DDRS       One of six DBA approved his own\n                                                                    end user account creation,         SAAR form.\n                                                                    modification, deletion, and\n                                                                    password reset process.\n\n\n                                                        65\n\x0cCO\n               Control Objective                          Control Activity                         Test Procedure                    Results of Testing\nNo.\n30    Telecommunications controls are         DISA DECC-Ogden                              DISA DECC-Ogden                    DISA DECC-Ogden\n      properly implemented in accordance      Virtual Private Network (VPN) and            Confirmed through inquiry of       There were connection attempts\n      with authorizations that have been      dial-in are the telecommunications           the Lead Firewall Technician       from unauthorized hosts to the\n      granted.                                methods used in DDRS.                        and Communications Chief that      DDRS database server. These\n                                              DISA DECC-Ogden uses software                VPN and dial-in accounts were      attempts did not appear to be\n                                              called Radius and Tac-X to ensure there      maintained at DISA DECC-           successful.\n                                              are secure telecommunication                 Ogden. Verified that the VPN\n                                              capabilities. If VPN or dial-up access is    was noted on the network\n                                              needed then, the end user must fill out      diagrams.\n                                              the DoD Form 41 or SAAR form.\n                                                                                           Performed network monitoring\n                                                                                           testing to test for unauthorized\n                                                                                           network connections.\n\n                                              DFAS-Arlington                               DFAS-Arlington                     DFAS-Arlington\n                                              VPN and dial-in are the                      Confirmed through inquiry of       No relevant exceptions noted.\n                                              telecommunications methods used by           the Information Assurance\n                                              DFAS for remote DDRS access. A               Officer that VPN and dial-in\n                                              DFAS user requiring remote access            accounts were maintained at the\n                                              must obtain a DFAS laptop computer           DFAS-wide level and were not\n                                              equipped with VPN or DFAS Internet           specific to DDRS.\n                                              Service Provider software. If VPN or\n                                              DFAS Internet Service Provider access\n                                              is needed, then the end user must fill out\n                                              the DFAS Internet Service Provider\n                                              request form in addition to their own\n                                              DoD Form 2875 for DDRS access.\n\n\n31    Procedures are in place to clear        DISA DECC-Ogden                              DISA DECC-Ogden                    DISA DECC-Ogden\n      sensitive information and software      The guidelines provided by DoD are           Read the Disposition of            No relevant exceptions noted.\n      from computers, disks, and other        followed for the destruction of platters     Unclassified DoD Computer\n      equipment or media when they are        and the certification of destruction is      Hard Drives policy used by\n      disposed of or transferred to another   completed by the Facilities Office           DISA DECC-Ogden.\n      use.                                    personnel responsible for the disposition    Confirmed policy was being\n                                              of the drives (either bad or upgraded and    used.\n                                              purchased and leased.)\n\n\n                                                                               66\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                    Results of Testing\nNo.\n                                                                      Inspected a sample of\n                                                                      Certification of Hard Drive\n                                                                      Disposition forms used to track\n                                                                      the completion of cleared hard\n                                                                      drives at DISA DECC-Ogden.\n\n                          DFAS-Arlington                              DFAS-Arlington                     DFAS-Arlington\n                          The DFAS Desktop Management                 Read the Hardware Excising         No relevant exceptions noted.\n                          Initiative team removes computers and       policy used by DFAS-Arlington.\n                          disks that are to be disposed of or         Confirmed policy was being\n                          converted to another use from the work      used.\n                          areas. They then re-image the machines\n                          before re-using or disposing of them.       Inspected the log of the wiped\n                                                                      and destroyed devices.\n\n                          DFAS-Cleveland                              DFAS-Cleveland                     DFAS-Cleveland\n                          DoD approved utility called "Wipe           Read the Disposition of            No relevant exceptions noted.\n                          Drive" is run on each PC. The utility can   Unclassified DoD Computer\n                          be set to achieve the level of security     Hard Drives policy used by\n                          required.                                   DFAS-Cleveland. Confirmed\n                                                                      that the policy was being used.\n\n                                                                      Inspected the log of the wiped\n                                                                      and destroyed devices.\n\n                          DFAS-Indianapolis                           DFAS-Indianapolis                  DFAS-Indianapolis\n                          DFAS-Indianapolis follows DoD               Read the DoD Computer Hard         No relevant exceptions noted.\n                          requirements for clearing data from         Drives Prior To Disposal policy\n                          computers and other media.                  used by DFAS-Indianapolis.\n\n                                                                      Confirmed that the policy was\n                                                                      being used.\n\n                                                                      Inspected a sample of\n                                                                      Certification of Hard Drive\n                                                                      Disposition forms, used to track\n                                                                      the completion of cleared hard\n                                                                      drives at DFAS-Indianapolis.\n\n                                                          67\n\x0cCO\n               Control Objective                           Control Activity                          Test Procedure                    Results of Testing\nNo.\n32    Audit trails are maintained at the       DISA DECC-Ogden                              DISA DECC-Ogden                     DISA DECC-Ogden\n      application, Operating System and        Operating System audit files are             Confirmed through inquiry of an     No relevant exceptions noted.\n      database layers.                         periodically moved to an audit server        IT Specialist that audit trails\n                                               located at DISA DECC-Ogden. The              were created and reviewed for\n                                               audit files are then burned to CD and        the DDRS Operating System.\n                                               stored on site for one year. After one\n                                               year, the CDs are destroyed.\n\n                                               Operating System Audit files are\n                                               maintained per UNIX STIG\n                                               requirements. Audit files are stored on\n                                               tape on site.\n\n                                               DFAS-Cleveland                               DFAS-Cleveland                      DFAS-Cleveland\n                                               DFAS-Cleveland develops and                  Inquired of the DDRS                No relevant exceptions noted.\n                                               implements audit trails at the DDRS          developers to confirm the\n                                               application level.                           existence of audit trails for\n                                                                                            DDRS.\n\n\n                                                                                            Inspected a random sample of\n                                                                                            audit trails to confirm the audit\n                                                                                            trails existed.\n\n                                               DFAS-Indianapolis                            DFAS-Indianapolis                   DFAS-Indianapolis\n                                               DFAS-Indianapolis maintains database         Inquired of the DBAs to confirm     No relevant exceptions noted.\n                                               alert and listener logs and other database   audit trails existed for DDRS.\n                                               related logs. The logs are reviewed by\n                                               the DBAs on a daily basis. Operating         Inspected a random sample of\n                                               System audit files are maintained per        audit trails to confirm the audit\n                                               UNIX STIG requirements. Audit files          trails existed.\n                                               are stored on tape on site.\n\n33    The contents of audit trails are         DISA DECC-Ogden                              DISA DECC-Ogden                     DISA DECC-Ogden\n      protected against unauthorized access,   Audit files are maintained per UNIX          Verified through observation the    No relevant exceptions noted.\n      modification or deletion.                STIG requirements. Audit files are           read and write access to the\n                                               stored on tape on site.                      audit logs for the DDRS\n                                                                                            Operating System was restricted\n\n                                                                               68\n\x0cCO\n               Control Objective                          Control Activity                          Test Procedure                     Results of Testing\nNo.\n                                                                                            to root-privileged users.\n\n                                              DFAS-Cleveland                                DFAS-Cleveland                     DFAS-Cleveland\n                                              The application audit trails are              Through observation, verified      No relevant exceptions noted.\n                                              inherently archived at the table level and    the read and write access to the\n                                              backed up and archived with the               audit logs for the DDRS\n                                              database. The audit trails are                application were restricted to\n                                              maintained as read-only.                      DBA-privileged users.\n\n                                              DFAS-Indianapolis                             DFAS-Indianapolis                  DFAS-Indianapolis\n                                              Permissions on the audit files are            Through observation, verified      DFAS-Indianapolis was unable to\n                                              restricted to the DBAs only. DISA             the read and write access to the   provide a system-generated listing\n                                              System Administrators also can view           audit logs for the DDRS            of individuals with read or write\n                                              these files, but only on an "as needed"       application and database were      access to the application and\n                                              basis.                                        restricted to DBA-privileged       database audit trails.\n                                                                                            users.\n\n34    Tools are available for the review of   DISA DECC-Ogden                               DISA DECC-Ogden                    DISA DECC-Ogden\n      audit records and for report            HP Audit Tools are used to view audit         Inspected the tools available to   DISA DECC-Ogden did not\n      generation from audit records.          records.                                      DISA DECC-Ogden personnel          proactively monitor or review\n                                                                                            and confirmed that they            Operating System audit trails.\n                                                                                            supported the security function.\n\n                                              DFAS-Arlington                                DFAS-Arlington                     DFAS-Arlington\n                                              The DDRS software has online report           Inspected the tools available to   No relevant exceptions noted.\n                                              generation capability for each audit trail.   DFAS-Arlington personnel and\n                                                                                            confirmed that they supported\n                                                                                            the security function.\n\n                                              DFAS-Cleveland                                DFAS-Cleveland                     DFAS-Cleveland\n                                              Oracle Enterprise Manager is used to          Inspected the tools available to   No relevant exceptions noted.\n                                              generate audit trail reports at the           DFAS-Cleveland personnel and\n                                              application level for DCM and AFS             confirmed that they supported\n                                              Modules. For the DDRS-Budgetary               the development function.\n                                              Module, Web Graphical Interface is\n                                              used for the generation of audit repots.\n\n\n\n                                                                               69\n\x0cCO\n               Control Objective                           Control Activity                         Test Procedure                   Results of Testing\nNo.\n                                                DFAS-Indianapolis                           DFAS-Indianapolis                 DFAS-Indianapolis\n                                                Scripts are written that can extract the    Inquired of DBAs that             No relevant exceptions noted.\n                                                information from the audit logs to report   automated tools were available\n                                                on activity.                                for viewing audit trails.\n\n                                                                                            Inspected scripts used for\n                                                                                            viewing audit trails at the\n                                                                                            database level.\n\n35    Actual or attempted unauthorized,         DISA DECC-Ogden                             DISA DECC-Ogden                   DISA DECC-Ogden\n      unusual, or sensitive network access      Authorized and unauthorized network         Inquired of the System Security   No relevant exceptions noted.\n      is monitored.                             access is monitored through TCP             Administrator to confirm that\n                                                Wrapper and Klaxon or Banshee. Host         unauthorized, unusual, or\n                                                based-Intrusion Detection System,           sensitive access was monitored\n                                                Symantec Enterprise Security Manager,       .\n                                                and Intruder Alert are installed on all     Performed network monitoring\n                                                UNIX servers.                               using the Securify tool to test\n                                                                                            whether DDRS interfaces were\n                                                                                            monitored with the Intruder\n                                                                                            Alert server.\n\n36    Suspicious or irregular access activity   DISA DECC-Ogden                             DISA DECC-Ogden                   DISA DECC-Ogden\n      is investigated and appropriate action    When suspicious activity is detected,       Inquired of the Security          No relevant exceptions noted.\n      taken.                                    initial investigation is performed. If      Administrator to confirm that\n                                                deemed an actual event, the Continental     suspicious or irregular access\n                                                United States Regional Computer             activity was investigated and\n                                                Emergency Response Team is notified         appropriate actions were taken.\n                                                and action is taken as required.\n\n37    The acquisition, development, and         DFAS-Arlington                              DFAS-Arlington                    DFAS-Arlington\n      use of mobile code to be deployed in      Mobile code used by DDRS consists of        Inquired of the Information       No relevant exceptions noted.\n      DoD systems meet current guidelines,      Java Applets running within the Sun         Assurance Officer to confirm\n      standards and regulations.                Java Virtual Machine or under Oracle J-     that the acquisition,\n                                                Initiator. DoD policy defines these         development, and use of mobile\n                                                technologies as \xe2\x80\x9cCategory 2 Mobile          code to be deployed in DoD\n                                                Code\xe2\x80\x9d which must be either used within      systems met current guidelines,\n                                                an enclave or be digitally signed. If an    standards, and regulations.\n                                                applet is obtained from a trusted source\n\n                                                                                70\n\x0cCO\n               Control Objective                         Control Activity                         Test Procedure                    Results of Testing\nNo.\n                                              over an assured channel, or if it is\n                                              signed with a DoD-approved Public Key\n                                              Information certificate, then the DoD\n                                              mobile policy says users may execute it.\n                                              Providing an applet over an assured\n                                              channel that provides source\n                                              authentication, such as Secure Socket\n                                              Layer or Transport Layer Security, is a\n                                              Policy-compliant way to provide an\n                                              applet in a trusted fashion. DDRS\n                                              mobile code components are transmitted\n                                              using a Secure Socket Layer channel,\n                                              which is digitally signed and\n                                              authenticated with a DoD issued Public\n                                              Key Information certificate.\n\n                                              DFAS-Cleveland                              DFAS-Cleveland                     DFAS-Cleveland\n                                              By definition, mobile code is software      Inquired with appropriate          No relevant exceptions noted.\n                                              obtained from remote systems outside        personnel to confirm that the\n                                              the enclave boundary, transferred across    acquisition, development, and\n                                              a network, and then downloaded and          use of mobile code to be\n                                              executed on a local system without          deployed in DoD systems met\n                                              explicit installation or execution by the   current guidelines, standards,\n                                              recipient. Therefore, this item is not      and regulations.\n                                              applicable to DDRS releases.\n\n38    All servers, workstations and mobile    DISA DECC-Ogden                             DISA DECC-Ogden                    DISA DECC-Ogden\n      computing devices implement virus       All workstations and servers use            Observed that servers,             The test results have been removed\n      protection that includes a capability   antivirus software.                         workstations, and mobile           from the SAS 70 Report due to the\n      for automatic updates.                                                              computing devices implemented      sensitivity of the information\n                                                                                          virus protection that included a   contained in the test results.\n                                                                                          capability for automatic updates\n                                                                                          for all DDRS locations.\n\n                                                                                          Inspected a screen print as\n                                                                                          evidence that these settings had\n                                                                                          been configured.\n\n\n                                                                              71\n\x0cCO\n      Control Objective              Control Activity                      Test Procedure                    Results of Testing\nNo.\n\n                          DFAS-Arlington                           DFAS-Arlington                     DFAS-Arlington\n                          All workstations and servers at          Observed that servers,             No relevant exceptions noted.\n                          DFAS-Arlington use antivirus software,   workstations, and mobile\n                          which has an automatic update            computing devices implemented\n                          capability.                              virus protection that included a\n                                                                   capability for automatic updates\n                                                                   for all DDRS locations.\n\n                                                                   Inspected a screen print as\n                                                                   evidence that these settings had\n                                                                   been configured.\n\n                          DFAS-Cleveland                           DFAS-Cleveland                     DFAS-Cleveland\n                          All workstations and servers at          Observed that servers,             No relevant exceptions noted.\n                          DFAS-Cleveland use antivirus software,   workstations, and mobile\n                          which has an automatic update            computing devices implemented\n                          capability.                              virus protection that included a\n                                                                   capability for automatic updates\n                                                                   for all DDRS locations.\n\n                                                                   Inspected a screen print as\n                                                                   evidence that these settings had\n                                                                   been configured.\n\n                          DFAS-Indianapolis                        DFAS-Indianapolis                  DFAS-Indianapolis\n                          All workstations and servers at DFAS-    Observed that servers,             No relevant exceptions noted.\n                          Indianapolis use antivirus software,     workstations, and mobile\n                          which has an automatic update            computing devices implemented\n                          capability.                              virus protection that included a\n                                                                   capability for automatic updates\n                                                                   for all DDRS locations.\n\n                                                                   Inspected a screen print as\n                                                                   evidence that these settings had\n                                                                   been configured.\n\n\n\n                                                        72\n\x0cCO\n               Control Objective                         Control Activity                        Test Procedure                       Results of Testing\nNo.\n39    All VPN traffic is visible to network   DISA DECC-Ogden                            DISA DECC-Ogden                       DISA DECC-Ogden\n      Intrusion Detection System (IDS).       All external Virtual Private Network       Inquired of the System                No relevant exceptions noted.\n                                              traffic coming into DISA DECC-Ogden        Administrators to confirm that\n                                              is visible to the IDS.                     all VPN traffic was visible to the\n                                                                                         network IDS.\n\n40    At a minimum, robust Commercial         DISA DECC-Ogden                            DISA DECC-Ogden                       DISA DECC-Ogden\n      off-the-shelf Information Assurance     No public network is used. The DoD         Performed network monitoring          No relevant exceptions noted.\n      enabled products are used to protect    Non-secure Internet Protocol Router        using the Securify tool to test for\n      sensitive information when the          Network is used.                           unencrypted traffic transmitted\n      information uses public networks or                                                over commercial or wireless\n      the system handling the information                                                networks.\n      is accessible by individuals who are\n      not authorized to access the            DFAS-Arlington                             DFAS-Arlington                        DFAS-Arlington\n      information on the system.              All DDRS application data is               Performed network monitoring          No relevant exceptions noted.\n                                              communicated between the user and the      using the Securify tool to verify\n                                              production server using encryption         that Hyper Text Transfer\n                                              transfer protocol capability. DDRS         Protocol Secure traffic was used\n                                              information does not use public            to communicate between the\n                                              networks.                                  end-users and the server.\n\n41    Unless there is an overriding           DISA DECC-Ogden                            DISA DECC-Ogden                       DISA DECC-Ogden\n      technical or operational problem,       All workstations automatically lock out    Confirmed through observation         No relevant exceptions noted.\n      workstation screen-lock-out function    after 15 minutes of inactivity. Also all   that the workstation screen\n      is associated with each workstation.    work stations can be manually locked by    lock-out function was applied.\n                                              the user at anytime.                       If they were not being used,\n                                                                                         inquired of the System\n                                                                                         Administrator to determine why\n                                                                                         the screen lock-out function was\n                                                                                         not being used.\n\n                                              DFAS-Arlington                             DFAS-Arlington                        DFAS-Arlington\n                                              At DFAS-Arlington, the workstation         Confirmed through observation         No relevant exceptions noted.\n                                              screen-lock functionality is associated    that the workstation screen\n                                              with each workstation. Users can           lock-out function was applied.\n                                              invoke this screen lock-out function by\n                                              removing their Common Access Card\n                                              (CAC) card from the reader or by\n\n                                                                             73\n\x0cCO\n               Control Objective                         Control Activity                         Test Procedure                       Results of Testing\nNo.\n                                              entering Ctrl-Alt-Delete followed by the\n                                              enter key.\n\n                                              DFAS-Cleveland                              DFAS-Cleveland                        DFAS-Cleveland\n                                              At DFAS-Cleveland, workstation screen       Confirmed through observation         No relevant exceptions noted.\n                                              lock-out function is associated with each   that workstation screen-lock-out\n                                              workstation. Users can invoke the           function was applied.\n                                              screen lock-out function by removing\n                                              their CAC card from the reader or by\n                                              entering Ctrl-Alt-Delete followed by the\n                                              enter key.\n\n                                              DFAS-Indianapolis                           DFAS-Indianapolis                     DFAS-Indianapolis\n                                              At DFAS-Indianapolis the workstation        Confirmed through observation         No relevant exceptions noted.\n                                              screen lock-out function is available       that the workstation screen\n                                              with each workstation. Users can            lock-out function was applied.\n                                              invoke this function by removing their\n                                              CAC card from the reader or by entering\n                                              Ctrl-Alt-Delete followed by the enter\n                                              key.\n\n42    Instant messaging traffic to and from   DISA DECC-Ogden                             DISA DECC-Ogden                       DISA DECC-Ogden\n      instant messaging clients that are      Instant messaging traffic is not allowed    Performed network monitoring          No relevant exceptions noted.\n      independently configured by end         per DoD Policy.                             using the Securify tool to test for\n      users and that interact with a public                                               instant messaging traffic to the\n      service provider is prohibited within                                               DDRS servers.\n      DoD information systems.\n                                              DFAS-Arlington                              DFAS-Arlington                        DFAS-Arlington\n                                              Instant messaging users at DFAS-            Performed network monitoring          No relevant exceptions noted.\n                                              Arlington are restricted to DoD instant     using the Securify tool to test for\n                                              messaging servers.                          instant messaging traffic to the\n                                                                                          DDRS servers.\n\n                                              DFAS-Cleveland.                             DFAS-Cleveland                        DFAS-Cleveland\n                                              Instant messaging traffic is not allowed    Performed network monitoring          No relevant exceptions noted.\n                                              per DoD Policy.                             using the Securify tool to test for\n                                                                                          instant messaging traffic to the\n                                                                                          DDRS servers.\n\n                                                                              74\n\x0cCO\n                Control Objective                          Control Activity                         Test Procedure                       Results of Testing\nNo.\n\n                                                DFAS-Indianapolis                           DFAS-Indianapolis                     DFAS-Indianapolis\n                                                Instant messaging traffic is not allowed    Performed network monitoring          No relevant exceptions noted.\n                                                per DoD Policy.                             using the Securify tool to test for\n                                                                                            instant messaging traffic to the\n                                                                                            DDRS servers.\n\n43    For Automated Information System          DISA DECC-Ogden                             DISA DECC-Ogden                       DISA DECC-Ogden\n      applications, a list of all (potential)   DISA DECC-Ogden requires a Service          Read the DISA DECC-Ogden              No relevant exceptions noted.\n      hosting enclaves is developed and         Level Agreement (SLA) with every            SLA to confirm the DDRS\n      maintained along with evidence of         customer and a copy of the system\xe2\x80\x99s         hosting enclave had been\n      deployment planning and                   SSAA. The SLA and the SSAA contain          identified and documented.\n      coordination and the exchange of          the requirements for system and data\n      connection rules and requirements.        criticality, maximum acceptable             Performed network monitoring\n                                                downtime, and any additional continuity     testing using the Securify tool to\n                                                of operations support that may be           determine whether the DDRS\n                                                required. Standard DISA procedures          Internet Protocol address was\n                                                provide for the daily backup of critical    within the DISA DECC-Ogden\n                                                data and the offsite storage of such data   hosting enclave.\n                                                as required allowing for the resumption\n                                                of normal processing in the event of\n                                                scheduled or unscheduled system\n                                                interruptions or downtime. Each SLA\n                                                provides the particulars for that\n                                                organization\xe2\x80\x99s system requirements, to\n                                                include the backup and recovery process\n                                                and procedures to be followed as well as\n                                                the maximum downtime that is\n                                                considered acceptable.\n\n\n\n\n                                                                                75\n\x0cCO\n               Control Objective                          Control Activity                         Test Procedure                     Results of Testing\nNo.\n44    Group authenticators for application     DISA DECC-Ogden                             DISA DECC-Ogden                    DISA DECC-Ogden\n      or network access may be used only       Root is a shared account among the          Confirmed through inquiry of       Seven of nine SAAR forms\n      in conjunction with an individual        DDRS system administrators.                 the DDRS System Administrator      inspected did not have the\n      authenticator.                           Individual authenticators are required to   the process for obtaining an       signature of the Information\n                                               access the DDRS Operating System.           administrator account on the       Assurance Officer on the SAAR\n                                                                                           DDRS Operating System.             form.\n\n                                                                                           Inspected all nine SAAR forms      One System Administrator did not\n                                                                                           to confirm that a form was on      have a SAAR form on file.\n                                                                                           file for all System                Additionally, access had not been\n                                                                                           Administrators with access to      removed for that user in a timely\n                                                                                           the DDRS Operating System.         manner. This user\xe2\x80\x99s access was\n                                                                                                                              subsequently deleted because he\n                                                                                                                              no longer required access to\n                                                                                                                              DDRS.\n\n                                               DFAS-Indianapolis                           DFAS-Indianapolis                  DFAS-Indianapolis\n                                               The DDRS DBA support team members           Inquired of the DDRS Project       One of six SAAR forms for DBAs\n                                               in Indianapolis each have their own         Manager and the lead DBA of        did not have the justification for\n                                               Unix account for each platform in           the process for granting the       access completed on the SAAR\n                                               Ogden that supports the DDRS                DBA access to DDRS.                form.\n                                               application. DBAs share the Oracle\n                                               UNIX account but they cannot login to       Inspected all six SAAR forms to    None of the six SAAR forms\n                                               that account directly. DBAs must login      confirm that a form was on file    inspected for DBAs had the\n                                               to the platform with their unique           for DBAs with access to DDRS.      signatures of the Functional Data\n                                               account and then Su (Switch User) to                                           Owner and Information Assurance\n                                               the Oracle account.                         Inquired of the end user account   Officer.\n                                                                                           administrator regarding DDRS\n                                                                                           end user account creation,         One of six DBAs approved his\n                                                                                           modification, deletion, and        own SAAR form.\n                                                                                           password reset process for\n                                                                                           DDRS.\n                                                                                           .\n45    To help prevent inadvertent              DISA DECC-Ogden                             DISA DECC-Ogden                    DISA DECC-Ogden\n      disclosure of controlled information,    All DISA DECC-Ogden e-mails                 Inspected the e-mail addresses     No relevant exceptions noted.\n      all contractors and foreign nationals    addresses are compliant with the control    of all DDRS-related personnel at\n      are identified by e-mail addresses and   objective. DISA DECC-Ogden does not         DISA DECC-Ogden to confirm\n      display names.                           control other e-mail addresses within       that contractors and foreign\n\n                                                                               76\n\x0cCO\n      Control Objective               Control Activity                         Test Procedure                      Results of Testing\nNo.\n                          DDRS or Tech POC e-mail address              nationals were identified in their\n                          lists.                                       e-mail addresses and display\n                                                                       names.\n                          To prevent inadvertent disclosure of\n                          controlled information, all contractors\n                          are identified by the abbreviation "ctr"\n                          and all foreign nationals are identified\n                          by their two-character country code.\n\n                          DFAS-Arlington                               DFAS-Arlington                       DFAS-Arlington\n                          Contractors at DFAS-Arlington are            Inspected the e-mail addresses       No relevant exceptions noted.\n                          identified as such in their e-mail display   of all DDRS-related individuals\n                          name.                                        at DFAS-Arlington to confirm\n                                                                       that contractors and foreign\n                                                                       nationals were identified in their\n                                                                       e-mail addresses and display\n                                                                       names.\n\n\n\n                          DFAS-Cleveland                               DFAS-Cleveland                       DFAS-Cleveland\n                          Contractors at DFAS-Cleveland are            Inspected the e-mail addresses       No relevant exceptions noted.\n                          identified as such in their e-mail display   of all DDRS-related individuals\n                          name.                                        at DFAS-Cleveland to confirm\n                                                                       that contractors and foreign\n                                                                       nationals were identified in their\n                                                                       e-mail addresses and display\n                                                                       names.\n\n\n                          DFAS-Indianapolis                            DFAS-Indianapolis                    DFAS-Indianapolis\n                          Contractors at DFAS-Indianapolis are         Inspected the e-mail addresses       No relevant exceptions noted.\n                          identified as such in their e-mail display   of all DDRS-related individuals\n                          name.                                        at DFAS-Indianapolis to confirm\n                                                                       that contractors and foreign\n                                                                       nationals were identified in their\n                                                                       e-mail addresses and display\n                                                                       names.\n\n                                                           77\n\x0cCO\n               Control Objective                           Control Activity                      Test Procedure                        Results of Testing\nNo.\n46    Unclassified, sensitive data              DISA DECC-Ogden                          DISA DECC-Ogden                       DISA DECC-Ogden\n      transmitted through a commercial or       DDRS does not use a commercial or        Performed network monitoring          No relevant issues noted.\n      wireless network are encrypted using      wireless network to transmit data. All   using the Securify tool to verify\n      National Institute of Standards and       data coming into DDRS from outside       that Hyper Text Transfer\n      Technology certified cryptography.        DISA DECC-Ogden is through File          Protocol Secure traffic was used\n                                                Transfer Protocol (FTP) or VPN           to communicate between the\n                                                communications.                          end-users and server.\n\n                                                                                         Performed network monitoring\n                                                                                         using the Securify tool to test for\n                                                                                         unencrypted traffic transmitted\n                                                                                         over commercial or wireless\n                                                                                         networks.\n\n47    Discretionary access controls are a       DFAS-Arlington                           DFAS-Arlington                        DFAS-Arlington\n      sufficient Information Assurance          There are no system interfaces with      Inquired of the Information           There were no automated system\n      mechanism for connecting DoD              DDRS.                                    Assurance Officer to confirm          interfaces identified. No relevant\n      information systems operating at the                                               there were no automated system        exceptions noted.\n      same classification, but with different                                            interfaces for DDRS.\n      need-to-know access rules.\n                                                                                         Read the DDRS SSAA to\n                                                                                         confirm that data had been\n                                                                                         assigned a classification level\n                                                                                         and that there were no\n                                                                                         automated system interfaces.\n\n48    Conformance testing that includes         DISA DECC-Ogden                          DISA DECC-Ogden                       DISA DECC-Ogden\n      periodic, unannounced, in-depth           DISA DECC-Ogden performs a               Confirmed through inquiry that        No relevant exceptions noted.\n      monitoring and provides for specific      monthly Information Security System      conformance testing was\n      penetration testing to ensure             scan. The monthly Information Security   performed. That it included\n      compliance with all vulnerability         System scan is not announced.            periodic, unannounced, in-depth\n      mitigation procedures is planned,                                                  monitoring, and provided for\n      scheduled, and conducted.                 Automated SRR scripts are run on each    specific penetration testing to\n                                                server and reported to the Montgomery    confirm compliance with all\n                                                SRR database on a weekly basis.          vulnerability mitigation\n                                                                                         procedures was planned,\n                                                                                         scheduled, and conducted.\n\n\n                                                                               78\n\x0cCO\n               Control Objective                      Control Activity                      Test Procedure                  Results of Testing\nNo.\n                                                                                    Inspected Information System\n                                                                                    Security scans and inspected\n                                                                                    evidence that conformance and\n                                                                                    penetration testing was being\n                                                                                    completed.\n\n                                                                                    Inspected physical penetration\n                                                                                    testing documentation for\n                                                                                    DISA DECC-Ogden.\n\n49    All users are warned that they are   DISA DECC-Ogden                          DISA DECC-Ogden                  DISA DECC-Ogden\n      entering a Government information    All users are warned that they are       Observed that a sample of        No relevant exceptions noted.\n      system.                              entering a Government information        workstations displayed a DoD\n                                           system before gaining access to the      warning banner.\n                                           network or system. All users must view\n                                           a warning banner on each access to\n                                           DDRS.\n\n                                           DFAS-Arlington                           DFAS-Arlington                   DFAS-Arlington\n                                           All users are warned that they are       Observed that a sample of        No relevant exceptions noted.\n                                           entering a Government information        workstations displayed a DoD\n                                           system before gaining access to the      warning banner.\n                                           network or system. All users must view\n                                           a warning banner on each access to\n                                           DDRS.\n\n                                           DFAS-Cleveland                           DFAS-Cleveland                   DFAS-Cleveland\n                                           All users are warned that they are       Observed that a sample of        No relevant exceptions noted.\n                                           entering a Government information        workstations displayed a DoD\n                                           system before gaining access to the      warning banner.\n                                           network or system. All users must view\n                                           a warning banner on each access to\n                                           DDRS.\n\n                                           DFAS-Indianapolis                        DFAS-Indianapolis                DFAS-Indianapolis\n                                           All users are warned that they are       Observed that a sample of        No relevant exceptions noted.\n                                           entering a Government information        workstations displayed a DoD\n                                           system before gaining access to the      warning banner.\n\n                                                                          79\n\x0cCO\n               Control Objective                           Control Activity                      Test Procedure                     Results of Testing\nNo.\n                                                network or system. All users must view\n                                                a warning banner on each access to\n                                                DDRS.\n\n50    Information and DoD information           DISA DECC-Ogden                          DISA DECC-Ogden                     DISA DECC-Ogden\n      systems that store, process, transmit,    The DECC-Ogden environment and           Confirmed through observation       No relevant exceptions noted.\n      or display data in any form or format     network operates under the security      that workstation screen-lock\n      that is not approved for public release   provisions of public law, Executive      functionality was applied. If\n      comply with all requirements in           Orders, Department of Defense            screen lock-outs were not being\n      policy and guidance documents.            directives and regulations, and DISA     used, we met with a System\n                                                instructions, guides, and handbooks.     Administrator to confirm the\n                                                                                         reason.\n\n                                                                                         Inquired key personnel to\n                                                                                         confirm that information in\n                                                                                         transit through a network at the\n                                                                                         same classification level was\n                                                                                         encrypted.\n\n                                                                                         Performed network monitoring\n                                                                                         to confirm traffic transmitted\n                                                                                         over commercial networks was\n                                                                                         encrypted.\n\n                                                                                         Observed that displays and\n                                                                                         printers used for sensitive but\n                                                                                         unclassified information were\n                                                                                         positioned to deter unauthorized\n                                                                                         individuals from reading the\n                                                                                         information at all the locations.\n\n                                                DFAS-Arlington                           DFAS-Arlington                      DFAS-Arlington\n                                                DDRS prepares and displays financial     Confirmed through observation       No relevant exceptions noted.\n                                                reports in compliance with the DoD       that workstation screen lock-out\n                                                Financial Management Regulation          function was applied.\n                                                (http://www.dod.mil/comptroller/fmr/).\n                                                Reports containing user names are        Observed that displays used for\n                                                labeled in accordance with DoD 5200.1-   DDRS activities were positioned\n\n                                                                               80\n\x0cCO\n               Control Objective                          Control Activity                         Test Procedure                     Results of Testing\nNo.\n                                               R, Appendix 3.                              to deter unauthorized individuals\n                                                                                           from reading the information.\n\n51    Information in transit through a         DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      network at the same classification       Information is encrypted with National      Performed network monitoring        No relevant exceptions noted.\n      level, but which must be separated for   Institute of Standards and Technology       using the Securify tool to\n      need-to-know reasons, is encrypted,      certified cryptography.                     confirm information was\n      at a minimum, with National Institute                                                encrypted.\n      of Standards and Technology certified\n      cryptography.\n\n52    Connections between DoD enclaves         DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      and the Internet or other public or      Systems that require public access are      Inspected the DISA DECC-            No relevant exceptions noted.\n      commercial wide area networks            placed in an isolated subnet in a DMZ       Ogden system architecture to\n      require a Demilitarized Zone (DMZ).      for the security of those systems without   confirm that connections\n                                               impacting the remainder of the subnets      between DoD enclaves and the\n                                               within the environment. The DDRS            Internet were configured with a\n                                               DMZ is located at DISA DECC-Ogden.          DMZ.\n\n53    Boundary defense mechanisms to           DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      include firewalls and network IDS are    DISA DECC-Ogden has four Class C            Inspected the DISA                  No relevant exceptions noted.\n      deployed at the enclave boundary.        networks that are used for different        DECC-Ogden system\n                                               purposes as well as one Class B             architecture to confirm that\n                                               network. The premise routers are            boundary defense mechanisms\n                                               configured to only let authenticated        to include firewalls and network\n                                               networks with a justified requirement       Intrusion Detection Systems\n                                               through to systems on the DISA              were deployed at the enclave\n                                               DECC-Ogden networks. All production         boundary.\n                                               systems are protected by two Juniper\n                                               M20 premise routers. Additionally, an       Inspected a system network\n                                               Intrusion Detection System has been         diagram and read the diagram\n                                               implemented for DISA DECC-Ogden.            with the System Administrator\n                                                                                           to confirm that defense\n                                                                                           mechanisms were employed.\n\n                                                                                           Observed the existence of\n                                                                                           firewalls and Intrusion Detection\n                                                                                           Systems.\n\n                                                                               81\n\x0cCO\n                Control Objective                           Control Activity                         Test Procedure                     Results of Testing\nNo.\n54    Devices that display or output             DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      classified or sensitive but unclassified   The DDRS system administrators are          Observed that displays used for     No relevant exceptions noted.\n      information in human readable form         located in cubicles and their monitors      DDRS activities were positioned\n      are positioned to deter unauthorized       are placed so that only personnel inside    to deter unauthorized individuals\n      individuals from reading the               the cubicle could view the information      from reading the information.\n      information.                               the monitor displayed.\n\n                                                 DFAS-Arlington                              DFAS-Arlington                      DFAS-Arlington\n                                                 DFAS-Arlington printers and displays        Observed that displays used for     No relevant exceptions noted.\n                                                 are controlled within a secured building.   DDRS activities were positioned\n                                                 The DDRS PMO staff is located in            to deter unauthorized individuals\n                                                 cubicles and their monitors are placed so   from reading the information.\n                                                 that only individuals inside the cubicle\n                                                 can view the information the monitor\n                                                 displays.\n\n                                                 DFAS-Cleveland                              DFAS-Cleveland                      DFAS-Cleveland\n                                                 The DDRS development staff is located       Observed that displays used for     No relevant exceptions noted.\n                                                 in cubicles and their monitors are placed   DDRS activities were positioned\n                                                 so that only individuals inside the         to deter unauthorized individuals\n                                                 cubicle could view the information the      from reading the information.\n                                                 monitor displays.\n\n                                                 DFAS-Indianapolis                           DFAS-Indianapolis                   DFAS-Indianapolis\n                                                 The DDRS DBA staff is located in            Observed that displays used for     No relevant exceptions noted.\n                                                 cubicles and their monitors are placed so   DDRS activities were positioned\n                                                 that only individuals inside the cubicle    to deter unauthorized individuals\n                                                 view the information it displays.           from reading the information.\n\n55    Individuals requiring access to            DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      sensitive information are processed        The SAAR form is sent to                    Confirmed through inquiry of        Seven of nine SAAR forms\n      for access authorization in accordance     DISA DECC-Ogden, which verifies             the Security Assurance Manager      inspected did not have the\n      with DoD personnel security policies.      required field contents and signatures      the process of recording security   signature of the Information\n                                                 and creates user IDs and passwords and      clearances for DISA                 Assurance Officer on the SAAR\n                                                 files the SAAR form. All DISA               DECC-Ogden staff.                   form.\n                                                 civilians are required to have a\n                                                 minimum of a Secret Clearance or            Confirmed that background           One System Administrator did not\n                                                 interim Secret Clearance prior to           investigations had been             have a SAAR form on file.\n\n                                                                                 82\n\x0cCO\n      Control Objective               Control Activity                         Test Procedure                      Results of Testing\nNo.\n                          physical or system access being granted.     performed and were recurring on     Additionally, access had not been\n                          New contractors are submitted for            an appropriate schedule for         removed for that user in a timely\n                          investigation and Interim Information        individuals with access to the      manner. This user\xe2\x80\x99s access was\n                          Technology access granted by DISA            DDRS Operating System.              subsequently deleted because he\n                          Personnel Security or an Interim                                                 no longer required access to\n                          clearance from Defense Investigative         Confirmed through inquiry of        DDRS.\n                          Security Clearance Office is obtained        the DDRS System Administrator\n                          prior to physical or system access being     the process for obtaining an\n                          granted.                                     administrator account on the\n                                                                       DDRS Operating System.\n\n                                                                       Inspected all nine SAAR forms\n                                                                       to confirm that a form was on\n                                                                       file for all System\n                                                                       Administrators with access to\n                                                                       the DDRS Operating System.\n\n                          DFAS-Arlington                               DFAS-Arlington                      DFAS-Arlington\n                          All individuals requiring access to          Confirmed through inquiry of        Three of 18 SAAR forms did not\n                          DDRS must have their Security                the Personnel Security Program      document justification for access\n                          Manager\'s approval on the SAAR form          Manager of the process of           completed; another three of 18 did\n                          before access is granted. The                recording security clearances for   not document type of system\n                          Information Assurance Officer or             DFAS personnel.                     access.\n                          Assistant Information Assurance Officer\n                          verifies the field contents and signatures   Inspected all 18 SAAR forms to      One of 22 CMIS PMO users had\n                          before creating or requesting the            confirm that a form was on file     access to roles that were not\n                          creation of each user ID and password.       for the DDRS PMO staff with         required for his duties.\n                                                                       access to DDRS.\n                                                                                                           Seven of 22 CMIS PMO users\n                                                                       Inspected all 22 access forms to    were former DDRS PMO staff, but\n                                                                       confirm that a form was on file     their access to CMIS had not been\n                                                                       for PMO staff with access to the    terminated.\n                                                                       CMIS.\n\n                          DFAS-Cleveland                               DFAS-Cleveland                      DFAS-Cleveland\n                          All individuals requiring access to          Confirmed through inquiry of        There were no forms used to track\n                          DDRS must have their Security                the DDRS Configuration              PVCS access.\n                          Manager\'s approval on the SAAR form          Manager, PVCS Configuration\n\n                                                          83\n\x0cCO\n      Control Objective               Control Activity                         Test Procedure                    Results of Testing\nNo.\n                          before access is granted. The                Manager, and DDRS Budgetary\n                          Information Assurance Officer or             Module Team Lead the process\n                          Assistant Information Assurance Officer      for recording access to the\n                          verifies the field contents and signatures   CMIS, the PVCS, and the Oracle\n                          before creating or requesting the            Versioning application.\n                          creation of each user ID and password.\n                                                                       Inspected CMIS access forms to\n                                                                       confirm that a form was on file\n                                                                       for the 33 DDRS development\n                                                                       staff with access to the CMIS.\n\n                                                                       Inspected all 31 6i Repository\n                                                                       User Access Forms for DFAS-\n                                                                       Cleveland DDRS staff members\n                                                                       to confirm that a form was on\n                                                                       file for the DDRS development\n                                                                       staff with access to the Oracle\n                                                                       Versioning System.\n\n                                                                       Requested access forms to\n                                                                       confirm that a form was on file\n                                                                       for DDRS development staff\n                                                                       with access to the PVCS.\n\n                          DFAS-Indianapolis                            DFAS-Indianapolis                 DFAS-Indianapolis\n                          The DDRS DBA staff is required to            Verified that background          One of six SAAR forms for DBAs\n                          complete a SAAR form to obtain a user        investigations had been           did not have the justification for\n                          ID. This form includes a section that        performed and were reoccurring    access completed on the SAAR\n                          must be completed by the security office     on an appropriate schedule for    form.\n                          verifying the employee clearance level.      individuals with access to the\n                          Until security clearance is verified and     DDRS database.                    None of the six SAAR forms\n                          the SAAR form is signed, the user                                              inspected for DBAs had the\n                          cannot log in to any system. The             Inspected all six SAAR forms to   signatures of the Functional Data\n                          processing of the SAAR form and its          confirm that a form was on file   Owner and Information Assurance\n                          status are tracked by the individual team    for the DBAs with access to       Officer.\n                          leads until completion.                      DDRS.\n                                                                                                         One of six DBAs approved his\n                                                                                                         own SAAR form.\n\n                                                          84\n\x0cCO\n               Control Objective                        Control Activity                         Test Procedure                     Results of Testing\nNo.\n56    DoD information systems comply         DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      with DoD ports, protocols, and         DDRS ports, protocols, and services are     Confirmed through the               The test results have been removed\n      services guidance.                     in accordance with the DISA STIGs.          performance of network              from the SAS 70 Report due to the\n                                                                                         monitoring using the Securify       sensitivity of the information\n                                                                                         tool that DDRS complied with        contained in the test results.\n                                                                                         DoD ports, protocols, and\n                                                                                         services guidance.\n\n57    Binary or machine executable public    DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      domain software products and other     Open source programs are allowed after      Read inventory listing to           The test results have been removed\n      software products with limited or no   going through a test and review process     confirm that binary or machine      from the SAS 70 Report due to the\n      warranty are not used in DoD           defined by the DISA Field Service           executable public domain            sensitivity of the information\n      information systems.                   Office.                                     software products and other         contained in the test results.\n                                                                                         software products with limited\n                                                                                         or no warranty were not installed\n                                                                                         on DDRS.\n      Application Software Development and Change Control\n58    A system development life cycle        DFAS-Cleveland                              DFAS-Cleveland                      DFAS-Cleveland\n      methodology has been implemented       The DDRS Software Quality Assurance         Read the Software Quality           No relevant exceptions noted.\n      and documented.                        Plan identifies a life cycle methodology,   Assurance Plan to confirm that it\n                                             which incorporates Software Quality         existed and was current.\n                                             Assurance Plan milestones,\n                                             configuration management, and other\n                                             management events including the\n                                             domain of DDRS Policy applicability.\n\n                                             DFAS-Indianapolis                           DFAS-Indianapolis                   DFAS-Indianapolis\n                                             A DoD specific system development life      Read the International              No relevant exceptions noted.\n                                             cycle is operational and utilized for the   Organizational for\n                                             development of the application              Standardization Mid-Tier\n                                             software.                                   Guidelines and Procedures to\n                                                                                         confirm that it existed and was\n                                                                                         current.\n\n                                                                                         Read the DFAS Corporate\n                                                                                         Information Infrastructure\n                                                                                         Common Elements Release\n\n                                                                             85\n\x0cCO\n              Control Objective                     Control Activity                        Test Procedure                    Results of Testing\nNo.\n                                                                                    Management DDRS step-by-\n                                                                                    step MOD Creation Procedure to\n                                                                                    confirm that it existed and was\n                                                                                    current.\n\n59    Authorizations for software        DFAS-Cleveland                             DFAS-Cleveland                     DFAS-Cleveland\n      modifications are documented and   A DDRS Configuration Management            Inspected all six DDRS-AFS         The following exceptions were\n      maintained.                        Plan is observant of authorized            releases, which occurred during    noted:\n                                         modifications, additions, and deletions,   the seven month period under\n                                         which are documented and maintained        review from October 2004 to             \xe2\x80\xa2 Two of six changes\n                                         in the interest of process and product     April 2005, and obtained the            lacked a Functional\n                                         integrity.                                 artifact documentation to               Requirements Review\n                                                                                    confirm the Functional                  Statement of Agreement;\n                                                                                    Requirements Review, Change             \xe2\x80\xa2 One of six changes did\n                                                                                    Control Board, Critical Design          not have a Test Readiness\n                                                                                    Review, Test Readiness Review           Review and Systems\n                                                                                    and Systems Integration Testing         Integration Testing Statement\n                                                                                    , Test Readiness Review,                of Agreement;\n                                                                                    Functional Validation Testing,          \xe2\x80\xa2 One of six changes did\n                                                                                    Test Readiness Review and               not have a Test Readiness\n                                                                                    Concurrent Validation Testing,          Review and Functional\n                                                                                    Release Implementation                  Validation Testing Statement\n                                                                                    Readiness Review, and Post              of Agreement;\n                                                                                    Implementation Review                   \xe2\x80\xa2 Two of six changes did\n                                                                                    contained appropriate signatures        not have a Release\n                                                                                    for authorizing the modification        Implementation Readiness\n                                                                                    to DDRS.                                Review Statement of\n                                                                                                                            Agreement; and,\n                                                                                    Inquired of DFAS-Cleveland              \xe2\x80\xa2 One of six changes did\n                                                                                    personnel to corroborate the            not have a Post\n                                                                                    results of the testing.                 Implementation Review\n                                                                                                                            signature.\n\n\n                                         DFAS-Indianapolis                          DFAS-Indianapolis                  DFAS-Indianapolis\n                                         A configuration management group and       Inquired of DFAS-Indianapolis      We were unable to trace software\n                                         a release management group are             personnel about the process for    modifications from DFAS-\n                                         responsible for maintaining the changes    documenting and maintaining        Cleveland to the changes\n\n                                                                         86\n\x0cCO\n               Control Objective                      Control Activity                       Test Procedure                      Results of Testing\nNo.\n                                           requested via a formal system change      authorizations for software         implemented by DFAS-\n                                           request and each release is a             modifications.                      Indianapolis on the production\n                                           documented process.                                                           servers because the DFAS-\n                                                                                                                         Indianapolis DBAs were unable to\n                                                                                                                         determine how to match the\n                                                                                                                         modifications to the system change\n                                                                                                                         request maintained by DFAS-\n                                                                                                                         Cleveland.\n\n60    Use of public domain and personal    DISA DECC-Ogden                           DISA DECC-Ogden                     DISA DECC-Ogden\n      software is restricted.              Open source programs are allowed after    Read inventory listing to           The test results have been removed\n                                           going through a test and review process   confirm that binary or machine      the SAS 70 Report due to the\n                                           defined by the DISA Field Service         executable public domain            sensitivity of the information\n                                           Office.                                   software products and other         contained in the test results.\n                                                                                     software products with limited\n                                                                                     or no warranty were not installed\n                                                                                     on DDRS.\n\n61    Changes are controlled as programs   DFAS-Cleveland                            DFAS-Cleveland                      DFAS-Cleveland\n      progress through testing to final    A DDRS Configuration Management           Inspected all six changes to        The following exceptions were\n      approval.                            Plan is observant of authorized           confirm that the artifact           noted during our testing of all six\n                                           modifications, additions, and deletions   documentation Functional            DDRS-AFS module releases. We\n                                           which are documented and maintained       Requirements Review, Change         noted the following missing\n                                           in the interest of process and product    Control Board, Critical Design      elements: Function Requirements\n                                           integrity.                                Review, Test Readiness Review       Review Statement of Agreement;\n                                                                                     and Systems Integration Testing,    Test Readiness Review and\n                                                                                     Test Readiness Review,              Systems Integration Testing\n                                                                                     Functional Validation Testing,      Checklist; Test Readiness Review\n                                                                                     Test Readiness Review and           and Systems Integration Testing\n                                                                                     Concurrent Validation Testing,      Attendee List; Test Readiness\n                                                                                     Release Implementation              Review and Systems Integration\n                                                                                     Readiness Review, and Post          Testing Open Item List; Test\n                                                                                     Implementation Review was           Readiness Review and Systems\n                                                                                     available, complete and             Integration Testing Statement of\n                                                                                     authorized for modifications to     Agreement; Test Readiness\n                                                                                     DDRS.                               Review and Functional Validation\n                                                                                                                         Testing Checklist; Test Readiness\n                                                                                                                         Review and Functional Validation\n\n                                                                           87\n\x0cCO\n               Control Objective                       Control Activity                       Test Procedure                    Results of Testing\nNo.\n                                                                                      Inquired of DFAS-Cleveland         Testing attendee list;\n                                                                                      personnel to corroborate the       Test Readiness Review and\n                                                                                      results of the testing.            Functional Validation Testing\n                                                                                      Read the SPI policies and          open item list; Test Readiness\n                                                                                      confirmed they described the       Review and Functional Validation\n                                                                                      process that changes must go       Testing, Statement of Agreement;\n                                                                                      through to be implemented.         Functional Validation Testing\n                                                                                                                         Certification Form; Release\n                                                                                                                         Implementation Readiness Review\n                                                                                                                         Statement of Agreement; Post\n                                                                                                                         Implementation Readiness Review\n                                                                                                                         Signature; Final Physical\n                                                                                                                         Configuration Audit; and Final\n                                                                                                                         Functional Configuration Audit.\n\n                                            DFAS-Indianapolis                         DFAS-Indianapolis                  DFAS-Indianapolis\n                                            DDRS employs the CMIS and Oracle\'s        Inquired of DFAS-Indianapolis      We were unable to trace software\n                                            Designer Repository to control            personnel about the process for    modifications from DFAS-\n                                            programs and their progress throughout    controlling changes for software   Cleveland to the changes\n                                            testing and final approval. The Release   modifications.                     implemented by DFAS-\n                                            Management Group also controls                                               Indianapolis on the DDRS\n                                            changes to the production environment                                        production servers because the\n                                            and maintains an audit trail on                                              DFAS-Indianapolis DBAs were\n                                            application changes.                                                         unable to determine how to match\n                                                                                                                         the modifications to the system\n                                                                                                                         change requests maintained by\n                                                                                                                         DFAS-Cleveland.\n\n62    Emergency changes are promptly        DFAS-Cleveland                            DFAS-Cleveland                     DFAS-Cleveland\n      randomly sampled and approved         Emergency changes are handled by          Inspected a random sample of       No relevant exception noted.\n      before being moved into production.   creating an Emergency Release Waiver.     changes to confirm that an\n                                            Changes are required to be randomly       Emergency Release Waiver was\n                                            sampled before being moved into           created, completed and\n                                            production.                               authorized by appropriate\n                                                                                      personnel when necessary.\n                                                                                      Inquired of DFAS-Cleveland\n                                                                                      personnel to corroborate the\n                                                                                      results of the testing.\n\n                                                                           88\n\x0cCO\n               Control Objective                          Control Activity                        Test Procedure                   Results of Testing\nNo.\n\n                                               DFAS-Indianapolis                          DFAS-Indianapolis                 DFAS-Indianapolis\n                                               Emergency changes are handled in the       Inquired of DFAS-Indianapolis     We were unable to trace software\n                                               same manner as the normal release          personnel on the process of       modifications from DFAS-\n                                               processes. A configuration management      documenting and maintaining       Cleveland to the changes\n                                               group and a release management group       authorizations for emergency      implemented by\n                                               are responsible for maintaining the        software modifications.           DFAS-Indianapolis on the DDRS\n                                               changes requested via a formal system                                        production servers because the\n                                               change request and each release is a                                         DFAS-Indianapolis DBAs were\n                                               documented process.                                                          unable to determine how to match\n                                                                                                                            the modifications to the system\n                                                                                                                            change requests maintained by\n                                                                                                                            DFAS-Cleveland.\n\n63    Distribution and implementation of       DFAS-Indianapolis                          DFAS-Indianapolis                 DFAS-Indianapolis\n      new or revised software is controlled.   The Technology Services Organization       Inquired of DFAS-Indianapolis     We were unable to trace software\n                                               and Corporate Services control the         personnel about the process for   modifications from DFAS-\n                                               submission of software or application      distributing and releasing        Cleveland to the changes\n                                               changes into the production                software modifications.           implemented by DFAS-\n                                               environment. The DDRS developers                                             Indianapolis on the DDRS\n                                               submit changes via File Transfer                                             production servers because the\n                                               Protocol to an inbox on a Technology                                         DFAS-Indianapolis DBAs were\n                                               Services Organization platform. The                                          unable to determine how to match\n                                               announcement is made via e-mail to                                           the modifications to the system\n                                               Technology Services Organization                                             change requests maintained by\n                                               release management. Release                                                  DFAS-Cleveland.\n                                               Management picks up the submittal and\n                                               relays the changes to the DBA staff\n                                               using File Transfer Protocol. These\n                                               changes are then used on the appropriate\n                                               DISA server or platform.\n\n64    Programs are labeled and inventoried.    DFAS-Cleveland                             DFAS-Cleveland                    DFAS-Cleveland\n                                               The DFAS Corporate Information             Inspected a random sample of      The DFAS Corporate Information\n                                               Infrastructure Naming Standard             930 configuration items to        Infrastructure naming standards\n                                               document is utilized for labeling and      determine compliance with         were not followed for DDRS\n                                               inventorying programs.                     naming standards and to confirm   items.\n                                                                                          they were inventoried.\n\n                                                                               89\n\x0cCO\n               Control Objective                        Control Activity                      Test Procedure                     Results of Testing\nNo.\n65    Access to program libraries is         DFAS-Cleveland                           DFAS-Cleveland                     DFAS-Cleveland\n      restricted to appropriate personnel.   DFAS-Cleveland grants role based         Confirmed the process for          There were no forms used to track\n                                             access to each member of the DDRS        recording access to the CMIS,      access to the PVCS.\n                                             development team on joining the team,    the PVCS, and the Oracle\n                                             and periodically when Corporate          Versioning application through\n                                             Services requires it.                    inquiry of the following DDRS\n                                                                                      personnel: DDRS Configuration\n                                                                                      Manager; PVCS; Configuration\n                                                                                      Manager; and DDRS Budgetary\n                                                                                      Module Team Lead.\n\n                                                                                      Inspected CMIS access forms to\n                                                                                      confirm that a form was on file\n                                                                                      for the 33 DDRS development\n                                                                                      staff with access to the CMIS.\n                                                                                      Inspected all 6i Repository User\n                                                                                      Access Forms for a sample of 31\n                                                                                      DFAS-Cleveland DDRS staff\n                                                                                      members to confirm that a form\n                                                                                      was on file for the DDRS\n                                                                                      development staff with access to\n                                                                                      the Oracle Versioning System.\n\n                                                                                      Requested access forms to\n                                                                                      confirm that a form was on file\n                                                                                      for DDRS development staff\n                                                                                      with access to the PVCS.\n\n                                             DFAS-Indianapolis                        DFAS-Indianapolis                  DFAS-Indianapolis\n                                             Access to development tools such as      Inquired of the DDRS Project       One of six SAAR forms for DBAs\n                                             CMIS, PVCS and Oracle Versioning is      Manager and the lead DBA of        did not have the justification for\n                                             controlled through standard procedures   the process for granting the       access completed on the SAAR\n                                             and documented request forms.            DBA access to DDRS.                form.\n\n                                                                                      Inspected all six SAAR forms to    None of the six SAAR forms\n                                                                                      confirm that a form was on file    inspected for DBAs had the\n                                                                                      for the DDRS DBAs with access      signatures of the Functional Data\n                                                                                      to DDRS.                           Owner and Information Assurance\n\n                                                                           90\n\x0cCO\n               Control Objective                            Control Activity                          Test Procedure                       Results of Testing\nNo.\n                                                                                                                                Officer.\n\n                                                                                                                                One of six DBAs approved his\n                                                                                                                                own SAAR form.\n\n                                                                                                                                DFAS-Indianapolis DBAs had full\n                                                                                                                                access to the DDRS test,\n                                                                                                                                development, and production\n                                                                                                                                environments.\n\n66    Acquisition or outsourcing of IT          DFAS-Indianapolis                             DFAS-Indianapolis                 DFAS-Indianapolis\n      services explicitly addresses             The Statement of Work governs the             Inspected the Statement of Work   No relevant exceptions noted.\n      Government, service provider, and         explicit roles and responsibilities for any   contract agreement to confirm\n      end user IA roles and responsibilities.   service provider that bids on services for    that it expressly addressed\n                                                the DDRS system.                              Government, service provider,\n                                                                                              and end-user IA roles and\n                                                                                              responsibilities.\n\n                                                DFAS-Arlington                                DFAS-Arlington                    DFAS-Arlington\n                                                The DDRS PMO outsources the Central           Inspected the SOW contract        No relevant exceptions noted.\n                                                Design Agency, Database                       agreement to confirm that it\n                                                Administrator, and application hosting        expressly addressed\n                                                Information Technology services to            Government, service provider,\n                                                DFAS-Cleveland, DFAS-Indianapolis,            and end-user IA roles and\n                                                and DISA DECC-Ogden, respectively.            responsibilities.\n                                                Each agreement delineates roles and\n                                                responsibilities.                             Inquired of DFAS-Arlington\n                                                                                              personnel to corroborate the\n                                                                                              results of the testing.\n\n\n\n\n                                                                                 91\n\x0cCO\n               Control Objective                        Control Activity                        Test Procedure                     Results of Testing\nNo.\n67    The acquisition of all Information     DFAS-Arlington                             DFAS-Arlington                     DFAS-Arlington\n      Assurance- and Information             All Government off-the-shelf               Confirmed through inquiry that     No relevant exceptions noted.\n      Assurance-enabled Government Off-      Information Technology products used       DDRS was not a Government\n      the-Shelf Information Technology       in DDRS have been evaluated by the         Off-the-Shelf product.\n      products is limited to products that   common criteria or are under evaluation.\n      have been evaluated by the National\n      Security Agency or in accordance\n      with National Security Agency\n      approved processes.\n\n68    Movement of programs and data          DFAS-Cleveland                             DFAS-Cleveland                     DFAS-Cleveland\n      among libraries is controlled.         The development team conducts Test         Inspected a sample of six          The following exceptions were\n                                             Readiness Reviews-System Integration       changes to confirm that the        noted during our testing of all six\n                                             Testing, Test Readiness Reviews-           artifact testing documentation     DDRS-AFS module releases. We\n                                             Functional Validation Testing, and         Test Readiness Review and          noted the following missing\n                                             Release Implementation Readiness           System Integration Testing, Test   elements: Function Requirements\n                                             Review, and produces or defines ARCs       Readiness Review and               Review Statement of Agreement;\n                                             compression format at the time of          Functional Validation Testing,     Test Readiness Review and\n                                             implementation readiness. Changes are      Test Readiness Review and          Systems Integration Testing\n                                             released to the Release Management         Change Validation Testing, and     Checklist; Test Readiness Review\n                                             Group at DFAS-Indianapolis for             Release Implementation             and Systems Integration Testing\n                                             implementation.                            Readiness Review was               Attendee List; Test Readiness\n                                                                                        available, complete, and           Review and Systems Integration\n                                                                                        authorized for modifications to    Testing Open Item List; Test\n                                                                                        DDRS.                              Readiness Review and Systems\n                                                                                                                           Integration Testing Statement of\n                                                                                        Inquired of DFAS-Cleveland         Agreement; Test Readiness\n                                                                                        personnel to corroborate the       Review and Functional Validation\n                                                                                        results of the testing.            Testing Checklist; Test Readiness\n                                                                                                                           Review and Functional Validation\n                                                                                                                           Testing attendee list;\n                                                                                                                           Test Readiness Review and\n                                                                                                                           Functional Validation Testing\n                                                                                                                           open item list; Test Readiness\n                                                                                                                           Review and Functional Validation\n                                                                                                                           Testing, Statement of Agreement;\n                                                                                                                           Functional Validation Testing\n                                                                                                                           Certification Form; Release\n\n                                                                            92\n\x0cCO\n               Control Objective                          Control Activity                         Test Procedure                      Results of Testing\nNo.\n                                                                                                                               Implementation Readiness Review\n                                                                                                                               Statement of Agreement; Post\n                                                                                                                               Implementation Readiness Review\n                                                                                                                               Signature; Final Physical\n                                                                                                                               Configuration Audit; and Final\n                                                                                                                               Functional Configuration Audit.\n\n                                               DFAS-Indianapolis                           DFAS-Indianapolis                   DFAS-Indianapolis\n                                               DDRS employs CMIS to control the            Inquired of personnel at DFAS-      We were unable to trace software\n                                               movement of information programs and        Indianapolis about the process      modifications from DFAS-\n                                               data among libraries. The process           for controlling movement of         Cleveland to the changes\n                                               includes sign off by responsible            programs and data among             implemented by DFAS-\n                                               individuals authorizing the actions.        libraries.                          Indianapolis on the DDRS\n                                                                                                                               production servers because DFAS-\n                                                                                                                               Indianapolis DBAs were unable to\n                                                                                                                               determine how to match the\n                                                                                                                               modifications to the System\n                                                                                                                               Change Requests maintained by\n                                                                                                                               DFAS-Cleveland.\n\n69    Software quality requirements and        DFAS-Cleveland                              DFAS-Cleveland                      DFAS-Cleveland\n      validation methods that are focused      A Software Quality Assurance Program        Inspected all six changes to        The following exceptions were\n      on the minimization of flawed or         has been instituted for all DDRS            verify that a software quality      noted during our testing of all six\n      malformed software that can              projects. This program is executed          assurance member was present        DDRS-AFS module releases. We\n      negatively impact integrity or           during the lifecycle of all DDRS            at each meeting through review      noted the following missing\n      availability such as buffer over runs    releases in accordance with DFAS            of attendee listings.               elements: FRR SQA Presence;\n      such as are specified for all software   Policy SM-13. A key element of the                                              Function Requirements Review\n      development initiatives.                 software quality assurance function is to   Inspected all six changes to        Statement of Agreement; Test\n                                               help to develop and observe the             confirm that the artifact testing   Readiness Review and Systems\n                                               adherence to DDRS policies.                 documentation (Test Readiness       Integration Testing Checklist; Test\n                                                                                           Review and Systems Integration      Readiness Review and Systems\n                                                                                           Testing, Test Readiness Review      Integration Testing Attendee List;\n                                                                                           and Functional Validation           Test Readiness Review and\n                                                                                           Testing, and Test Readiness         Systems Integration Testing Open\n                                                                                           Review and Change Validation        Item List; Test Readiness Review\n                                                                                           Testing) was available, complete    and Systems Integration Testing\n                                                                                           and authorized for modifications    Statement of Agreement; Test\n                                                                                           to DDRS.                            Readiness Review and Functional\n\n                                                                               93\n\x0cCO\n               Control Objective                         Control Activity                       Test Procedure                    Results of Testing\nNo.\n                                                                                                                           Validation Testing Checklist; Test\n                                                                                        Inquired of key DFAS-              Readiness Review and Functional\n                                                                                        Cleveland personnel to             Validation Testing attendee list;\n                                                                                        corroborate the results of the     Test Readiness Review and\n                                                                                        testing above.                     Functional Validation Testing\n                                                                                                                           open item list; Test Readiness\n                                                                                                                           Review and Functional Validation\n                                                                                                                           Testing, Statement of Agreement;\n                                                                                                                           Functional Validation Testing\n                                                                                                                           Certification Form; Release\n                                                                                                                           Implementation Readiness Review\n                                                                                                                           Statement of Agreement; Post\n                                                                                                                           Implementation Readiness Review\n                                                                                                                           Signature; Final Physical\n                                                                                                                           Configuration Audit; and Final\n                                                                                                                           Functional Configuration Audit.\n      System Software Controls\n70    Access authorizations are               DISA DECC-Ogden                           DISA DECC-Ogden                    DISA DECC-Ogden\n      appropriately limited.                  Access to system software is restricted   Read the policies and procedures   Seven of nine SAAR forms\n                                              to personnel with corresponding job       for restricting access to the      inspected did not have the\n                                              responsibilities by access control        systems software to confirm that   signature of the Information\n                                              software. Update access should            they were current.                 Assurance Officer on the SAAR\n                                              generally be limited to primary and                                          form.\n                                              backup systems programmers.               Inspected all nine SAAR forms\n                                                                                        to confirm that a form was on      One System Administrator did not\n                                                                                        file for all System                have a SAAR form on file.\n                                                                                        Administrators with access to      Additionally, access had not been\n                                                                                        the DDRS Operating System.         removed for that user in a timely\n                                                                                                                           manner. This user\xe2\x80\x99s access was\n                                                                                                                           subsequently deleted because he\n                                                                                                                           no longer required access to\n                                                                                                                           DDRS.\n71    All access paths have been identified   DISA DECC-Ogden                           DISA DECC-Ogden                    DISA DECC-Ogden\n      and controls implemented to prevent     Auditing is enabled on all DDRS servers   Confirmed through inquiry of an    DISA DECC-Ogden did not\n      or detect access for all paths.         at the Operating System level. The        IT Specialist that audit trails    proactively monitor or review\n                                              UNIX STIG is enforced on all DDRS         were created and reviewed for      audit trails.\n                                              servers.                                  the DDRS Operating System.\n\n                                                                              94\n\x0cCO\n               Control Objective                           Control Activity                         Test Procedure                     Results of Testing\nNo.\n\n                                                The Operating System is configured to       Confirmed through inquiry of\n                                                prevent circumvention of the security       the Lead Firewall Technician\n                                                software and application controls.          and Communications Chief and\n                                                Access to system software is restricted     observation that all access paths\n                                                to personnel with corresponding job         were monitored.\n                                                responsibilities by access control\n                                                software. Update access should\n                                                generally be limited to primary and\n                                                backup systems programmers.\n\n72    Policies and techniques have been         DISA DECC-Ogden                             DISA DECC-Ogden                     DISA DECC-Ogden\n      implemented for using and                 Audit logs are used to monitor the use of   Confirmed through inquiry of an     DISA DECC-Ogden did not\n      monitoring the use of system utilities.   system utilities.                           IT Specialist that audit trails     proactively monitor or review\n                                                                                            were created and reviewed for       audit trails.\n                                                                                            the DDRS Operating System.\n\n                                                                                            Read a sample of the audit logs     Seven of nine SAAR forms\n                                                                                            from the DDRS servers to            inspected did not have the\n                                                                                            confirm that Ogden personnel        signature of the Information\n                                                                                            reviewed the logs on a regular      Assurance Officer on the SAAR\n                                                                                            basis and that any issues noted     form.\n                                                                                            were documented and\n                                                                                            researched.                         One System Administrator did not\n                                                                                                                                have a SAAR form on file.\n                                                                                            Inspected all nine SAAR forms       Additionally, access had not been\n                                                                                            to confirm that a form was on       removed for that user in a timely\n                                                                                            file for all System                 manner. This user\xe2\x80\x99s access was\n                                                                                            Administrators with access to       subsequently deleted because he\n                                                                                            the DDRS Operating System.          no longer required access to\n                                                                                                                                DDRS.\n                                                                                            Confirmed through inquiry of\n                                                                                            the System Administrators that\n                                                                                            the super user log was created\n                                                                                            and reviewed.\n\n\n\n\n                                                                                95\n\x0cCO\n               Control Objective                       Control Activity                         Test Procedure                    Results of Testing\nNo.\n73    System software changes are           DISA DECC-Ogden                             DISA DECC-Ogden                    DISA DECC-Ogden\n      authorized, randomly sampled, and     All software changes and upgrades are       Requested and inspected the        No relevant exceptions noted.\n      approved before implementation.       approved, by either the DISA Change         change management policies and\n                                            Control Board or the DISA                   procedures for system software\n                                            DECC-Ogden Change Control Board,            to confirm that they existed and\n                                            and are developed in a closed               were current.\n                                            environment. All existing software or\n                                            migrated software and firmware were\n                                            thoroughly randomly sampled prior to\n                                            installation on DISA DECC-Ogden\xe2\x80\x99s\n                                            production platforms. Any new\n                                            software undergoes the same testing\n                                            procedures. If software vulnerabilities\n                                            are identified, the commercial vendors,\n                                            Government Central Design Agencies,\n                                            or appropriate Systems Support Offices\n                                            test, correct, and field appropriate\n                                            patches or upgrades to correct the\n                                            problem.\n\n74    Installation of system software is    DISA DECC-Ogden                             DISA DECC-Ogden                    DISA DECC-Ogden\n      documented and reviewed.              Installation procedures for the Operating   Inspected and read the             No relevant exceptions noted.\n                                            System are maintained within the            DISA DECC-Ogden Business\n                                            DISA DECC-Ogden Business                    Continuity Plan to confirm that\n                                            Continuity Plan.                            the installation of system\n                                                                                        software was documented and\n                                                                                        reviewed.\n\n75    Good engineering practices with       DISA DECC-Ogden                             DISA DECC-Ogden                    DISA DECC-Ogden\n      regards to the integrity mechanisms   Policy mandates the use of Secure           Confirmed through inquiry of       The test results have been removed\n      of commercial-off-the-shelf,          Socket Shell, Secure File Transfer          the System Administrator that      from the SAS 70 Report due to the\n      Government-off-the-shelf, and         Protocol, or Secure Communications          there were no automated system     sensitivity of the information\n      custom developed solutions are        Processor for file transfers.               interfaces between DDRS and        contained in the test results.\n      implemented for incoming and                                                      other automated information\n      outgoing files.                                                                   systems.\n\n                                                                                        Performed network monitoring\n                                                                                        and testing using the Securify\n\n                                                                            96\n\x0cCO\n               Control Objective                       Control Activity                       Test Procedure                   Results of Testing\nNo.\n                                                                                      tool to confirm that no\n                                                                                      unencrypted traffic was\n                                                                                      transmitted over the\n                                                                                      DISA DECC-Ogden networks.\n\n                                                                                      Inspected and read the DDRS\n                                                                                      SSAA to confirm that no\n                                                                                      automated interfaces exist.\n\n      Segregation of Duties\n76    Incompatible duties have been         DISA DECC-Ogden                           DISA DECC-Ogden                   DISA DECC-Ogden\n      identified and policies implemented   System Administration, System             Confirmed through inquiry of      No relevant exceptions noted.\n      to segregate these duties.            Security, Information Assurance           DISA DECC-Ogden personnel\n                                            Officer, and Information Assurance        and inspection of job\n                                            Manager duties are all separated at       descriptions that DISA had\n                                            DISA DECC-Ogden.                          effectively segregated\n                                                                                      incompatible duties.\n                                            System Administrators manage server\n                                            software and hardware. System Security    Inspected the DISA DECC-\n                                            Administrators manage weekly System       Ogden organization chart to\n                                            Readiness Review scripts and manage       confirm that it existed, was\n                                            all Information Assurance Vulnerability   current, and was approved by\n                                            Alert requirements. DBAs manage           management.\n                                            databases and application support.\n                                            Information Assurance Officers and\n                                            Information Assurance Mangers manage\n                                            documentation for all findings, store\n                                            auditing files, and do vulnerability\n                                            scans.\n\n                                            DFAS-Arlington                            DFAS-Arlington                    DFAS-Arlington\n                                            DDRS has a Program Manager, an            Confirmed through inquiry of      No relevant exceptions noted.\n                                            Information Assurance Officer,            the Information Assurance\n                                            Assistant Information Assurance           Officer and inspection of job\n                                            Officers, and an Information Assurance    descriptions that DFAS-\n                                            Manager. Additionally, the DDRS           Arlington had effectively\n                                            software prohibits an individual from     segregated incompatible duties.\n\n                                                                           97\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                       Results of Testing\nNo.\n                          approving any transaction that they have\n                          initiated such as a Journal Voucher or a   Read the DDRS PMO\n                          trial balance correction. In DDRS          organizational chart and job\n                          Budgetary, assignment of powerful roles    descriptions to confirm that all\n                          like these are restricted to the           positions were established in\n                          \xe2\x80\x9cHeadquarters System Security              writing.\n                          Administrator\xe2\x80\x9d role.\n                                                                     Inspected the Appointment\n                                                                     Letters for the Information\n                                                                     Assurance Officer, Assistant\n                                                                     Information Assurance Officer\n                                                                     and the Information Assurance\n                                                                     Manager to confirm that these\n                                                                     individuals had been appointed\n                                                                     in writing with the\n                                                                     responsibilities of their positions\n                                                                     included in the appointment\n                                                                     letters.\n\n                          DFAS-Cleveland                             DFAS-Cleveland                        DFAS-Cleveland\n                          To define the guidelines and roles for     Confirmed through inquiry of          No relevant exceptions noted.\n                          the development and implementation of      DFAS-Cleveland personnel and\n                          DDRS products, to this date, twenty two    inspection of job descriptions\n                          DDRS policies have been developed to       that DFAS-Cleveland had\n                          ensure due process and repeatability in    effectively segregated\n                          the interest of quality in the DDRS        incompatible duties.\n                          software process and its products.\n                          There is also a Software Quality           Read the DFAS-Cleveland\n                          Assurance function in place to ensure      organizational chart and job\n                          developers are following policies and      descriptions to confirm that all\n                          procedures.                                positions were established in\n                                                                     writing.\n\n                          DFAS-Indianapolis                          DFAS-Indianapolis                     DFAS-Indianapolis\n                          The DDRS application is controlled by      Confirmed through inquiry of          No relevant exceptions noted.\n                          Oracle roles assigned to users.            DFAS-Indianapolis personnel\n                          Managers oversee user access as            and inspection of job\n                          documented on the SAAR form.               descriptions that DFAS-\n\n                                                         98\n\x0cCO\n              Control Objective                       Control Activity                         Test Procedure                    Results of Testing\nNo.\n                                                                                       Indianapolis had effectively\n                                                                                       segregated incompatible duties.\n                                                                                       Read the DFAS-Indianapolis\n                                                                                       organizational chart and job\n                                                                                       descriptions to confirm that all\n                                                                                       positions were established in\n                                                                                       writing.\n\n77    System management job descriptions   DISA DECC-Ogden                             DISA DECC-Ogden                    DISA DECC-Ogden\n      have been documented.                All job descriptions are documented and     Confirmed through inquiry of       No relevant exceptions noted.\n                                           stored at DISA DECC-Ogden.                  DISA DECC-Ogden personnel\n                                                                                       and inspection of job\n                                                                                       descriptions that DISA had\n                                                                                       effectively segregated\n                                                                                       incompatible duties.\n\n                                                                                       Inspected the DISA DECC-\n                                                                                       Ogden organization chart to\n                                                                                       confirm that it existed, was\n                                                                                       current, and was approved by\n                                                                                       management.\n\n                                           DFAS-Arlington                              DFAS-Arlington                     DFAS-Arlington\n                                           Job descriptions are reviewed on an         Confirmed through inquiry of       No relevant exceptions noted.\n                                           annual basis in conjunction with            the Information Assurance\n                                           establishing DFAS employee                  Officer and inspection of job\n                                           performance standards. After the award      descriptions that DFAS-\n                                           of a contract, the contractor is required   Arlington had segregated\n                                           to submit a Project Management Plan to      incompatible duties.\n                                           state the approach to satisfying contract\n                                           deliverables. This plan includes the job    Read the DDRS PMO\n                                           titles and descriptions of the staffing     organizational chart and job\n                                           plan.                                       descriptions to confirm that all\n                                                                                       positions were established in\n                                                                                       writing.\n\n                                                                                       Inspected the Appointment\n                                                                                       Letters for the Information\n\n                                                                           99\n\x0cCO\n              Control Objective                 Control Activity                        Test Procedure                      Results of Testing\nNo.\n                                                                                Assurance Officer, Assistant\n                                                                                Information Assurance Officer\n                                                                                and the Information Assurance\n                                                                                Manager to confirm that these\n                                                                                individuals had been appointed\n                                                                                in writing with their\n                                                                                responsibilities included in their\n                                                                                appointment letters.\n\n                                    DFAS-Indianapolis                           DFAS-Indianapolis                    DFAS-Indianapolis\n                                    Job descriptions are documented for         Confirmed through inquiry of         No relevant exceptions noted.\n                                    TSO personnel in the Mid-tier               DFAS-Indianapolis personnel\n                                    guidelines and procedures. Job              and inspection of job\n                                    responsibilities for the end users of the   descriptions that DFAS-\n                                    application are documented by the           Indianapolis had segregated\n                                    development staff in accordance with        incompatible duties.\n                                    specifics outlined by the requirements\n                                    documentation.                              Read the DFAS-Indianapolis\n                                                                                organizational chart and job\n                                                                                descriptions to confirm that all\n                                                                                positions were established in\n                                                                                writing.\n\n78    System management employees   DISA DECC-Ogden                             DISA DECC-Ogden                      DISA DECC-Ogden\n      understand their duties and   All DISA DECC-Ogden employees               Inspected a random sample of         No relevant exceptions noted.\n      responsibilities.             understand their duties and                 three employees and confirmed\n                                    responsibilities in accordance with         through inquiry that they\n                                    DISA policies and procedures. Written       understood their duties and\n                                    position descriptions exist for all         responsibilities and inspected\n                                    security personnel and all personnel are    documentation to confirm that\n                                    aware of their respective roles and         employees had signed position\n                                    responsibilities.                           descriptions.\n\n                                    DFAS-Arlington                              DFAS-Arlington                       DFAS-Arlington\n                                    Supervisors and employees discuss and       Inspected all 13 employees and       No relevant exceptions noted.\n                                    sign performance standards for each         confirmed through inquiry that\n                                    employee. After the award of a              they understood their duties and\n                                    contract, the contractor is required to     responsibilities and inspected\n\n                                                                    100\n\x0cCO\n              Control Objective                        Control Activity                        Test Procedure                     Results of Testing\nNo.\n                                            submit a Project Management Plan to        documentation to confirm that\n                                            state the approach to satisfy contract     employees had signed position\n                                            deliverables. This plan verifies the       descriptions.\n                                            contractor\'s understanding of their\n                                            duties.\n\n                                            DFAS-Cleveland                             DFAS-Cleveland                      DFAS-Cleveland\n                                            Employees interviewed understand their     Inspected a random sample of 26     No relevant exceptions noted.\n                                            primary job responsibility and are aware   employees and confirmed\n                                            of documentation identifying their         through inquiry that they\n                                            position description. Each position        understood their duties and\n                                            description identifies major duties,       responsibilities and inspected\n                                            supervisory controls, and guidelines.      documentation to confirm that\n                                                                                       employees had signed position\n                                                                                       descriptions.\n\n                                            DFAS-Indianapolis                          DFAS-Indianapolis                   DFAS-Indianapolis\n                                            The specific duties and responsibilities   Inspected a random sample of        No relevant exceptions noted.\n                                            are part of the job descriptions each      eight employees and confirmed\n                                            employee attests to when accepting the     through inquiry that they\n                                            job. These duties and responsibilities     understood their duties and\n                                            are reviewed and managed by the            responsibilities and inspected\n                                            Management Staff of the Configuration      documentation to confirm that\n                                            Management Information System              employees had signed position\n                                                                                       descriptions.\n\n\n79    Management reviews effectiveness of   DISA DECC-Ogden                            DISA DECC-Ogden                     DISA DECC-Ogden\n      control techniques.                   As part of the DITSCAP process, the        Read the latest risk assessment     No relevant exceptions noted.\n                                            DISA DECC-Ogden Information                dated February 20, 2004\n                                            Assurance Manger conducts and              included in the DISA\n                                            reviews the SSAA on an annual basis or     DECC-Ogden SSAA to confirm\n                                            when there is a major change.              that risks were periodically\n                                            Additionally, Automated SRR scripts        assessed.\n                                            are run on each server and reported to\n                                            the Montgomery SRR database on a           Observed the SRR process to\n                                            weekly basis. Each system has SRR and      confirm that it occurred and that\n                                            an Information System Security scan        corrective actions were tracked.\n\n                                                                           101\n\x0cCO\n              Control Objective                       Control Activity                         Test Procedure                   Results of Testing\nNo.\n                                           before it is connected to the network.\n                                           The DISA DECC-Ogden Field Security          Inspected a single SRR\n                                           Office runs periodic SRRs and               performed by\n                                           Information System Security scans.          DISA DECC-Ogden and\n                                                                                       inspected the Vulnerability\n                                                                                       Management System findings\n                                                                                       report to confirm findings\n                                                                                       identified by the SRR process\n                                                                                       had been addressed.\n\n                                           DFAS-Arlington                              DFAS-Arlington                    DFAS-Arlington\n                                           The DDRS application security risks are     Read the latest risk assessment   No relevant exceptions noted.\n                                           sampled and analyzed every three years.     dated July 28, 2002 included in\n                                           These risks are reported to DFAS            the DISA Ogden SSAA to\n                                           Information Assurance management,           confirm that risks were\n                                           and are considered for accreditation and    periodically assessed.\n                                           re-accreditation every three years.\n\n80    Formal procedures guide system       DISA DECC-Ogden                             DISA DECC-Ogden                   DISA DECC-Ogden\n      management personnel in performing   No formal procedures.                       Read SOPs used by DISA            SOPs and DISA DECC-Ogden\n      their duties.                                                                    DECC-Ogden personnel to           SSAA were outdated and\n                                                                                       confirm their DDRS-related job    incomplete.\n                                                                                       duties were documented.\n\n                                           DFAS-Arlington                              DFAS-Arlington                    DFAS-Arlington\n                                           Government employees follow their           Read Standard Operating           Standard Operating Procedures\n                                           performance standards and Standard          Procedures used by DFAS-          were not available for review.\n                                           Operating Procedures (SOP) where            Arlington personnel to confirm\n                                           appropriate. After the award of a           their DDRS-related job duties\n                                           contract, the contractor is required to     were documented.\n                                           submit a Project Management Plan to\n                                           state the approach to satisfying contract\n                                           deliverables. Contract staff is guided by\n                                           this plan.\n\n                                           DFAS-Cleveland                              DFAS-Cleveland                    DFAS-Cleveland\n                                           Each DDRS change management policy          Read Standard Operating           No relevant exceptions noted.\n                                           has a Roles and Responsibility section.     Procedures used by DFAS-\n\n                                                                          102\n\x0cCO\n               Control Objective                           Control Activity                           Test Procedure                      Results of Testing\nNo.\n                                               To achieve this objective, it has been         Cleveland personnel to confirm\n                                               declared mandatory for the DDRS                their DDRS-related job duties\n                                               Development Team to observe and                were documented.\n                                               adhere to Policies and Procedures in\n                                               helping to dictate behavior and actions\n                                               during the development process.\n\n                                               DFAS-Indianapolis                              DFAS-Indianapolis                   DFAS-Indianapolis\n                                               The DBAs are governed by the policies          Read Standard Operating             No relevant exceptions noted.\n                                               and procedures outlined in the Mid-Tier        Procedures used by DFAS-\n                                               Policy and Procedures.                         Indianapolis personnel to\n                                                                                              confirm their DDRS-related job\n                                                                                              duties were documented.\n\n81    Access procedures enforce the            DISA DECC-Ogden                                DISA DECC-Ogden                     DISA DECC-Ogden\n      principles of separation of duties and   Access to the DDRS Operating System            Confirmed through inquiry of        Seven of nine SAAR forms\n      \xe2\x80\x9cleast privilege.\xe2\x80\x9d                       is based on need-to-know access rules.         the DDRS System Administrator       inspected did not have the\n                                               All users must fill out the SAAR form          the process for obtaining an        signature of the Information\n                                               and have a government official sign the        administrator account on the        Assurance Officer on the SAAR\n                                               form confirming need-to-know access.           DDRS Operating System.              form.\n\n                                                                                              Inspected all nine SAAR forms       One System Administrator did not\n                                                                                              to confirm that a form was on       have a SAAR form on file.\n                                                                                              file for all System                 Additionally, access had not been\n                                                                                              Administrators with access to       removed for that user in a timely\n                                                                                              the DDRS Operating System.          manner. This user\xe2\x80\x99s access was\n                                                                                                                                  subsequently deleted because he\n                                                                                                                                  no longer required access to\n                                                                                                                                  DDRS.\n\n                                               DFAS-Arlington                                 DFAS-Arlington                      DFAS-Arlington\n                                               DDRS users have assigned user roles            Confirmed through inquiry of        Three of 18 SAAR forms did not\n                                               and organizational work areas that             the Information Assurance           document justification for access,\n                                               restrict their activities within datasets to   Officer the process for obtaining   and another three did not\n                                               what they need for their job duties.           a user account on DDRS.             document type of system access.\n\n                                                                                              Inspected all 18 SAAR forms to      One of 22 CMIS PMO users had\n                                                                                              confirm that a form was on file     access to roles that were not\n\n                                                                                 103\n\x0cCO\n      Control Objective              Control Activity                     Test Procedure                     Results of Testing\nNo.\n                                                                  for the DDRS PMO staff with        required for his duties.\n                                                                  access to DDRS.\n                                                                                                     Seven of 22 CMIS PMO users\n                                                                  Inspected all 22 CMIS access       were former DDRS PMO staff, but\n                                                                  forms to confirm that a form was   their access to CMIS had not been\n                                                                  on file for PMO staff with         terminated.\n                                                                  access to the CMIS.\n\n\n                          DFAS-Cleveland                          DFAS-Cleveland                     DFAS-Cleveland\n                          Cleveland Management has identified     Confirmed through inquiry of       There were no forms used to track\n                          and authorized CMIS, Project Version    DDRS Configuration Manager,        PVCS access.\n                          Control System (PVCS) and Oracle        Project Version Control System\n                          Versioning users and their access has   (PVCS) Configuration Manager\n                          been documented and approved.           and DDRS Budgetary Module\n                                                                  Team Lead the process for\n                                                                  recording access to the CMIS,\n                                                                  the PVCS, and the Oracle\n                                                                  Versioning application.\n\n                                                                  Inspected CMIS access forms to\n                                                                  confirm that a form was on file\n                                                                  for the 33 DDRS development\n                                                                  staff with access to the CMIS.\n\n                                                                  Inspected 6i Repository User\n                                                                  Access Forms for a random\n                                                                  sample of 31 DFAS-Cleveland\n                                                                  DDRS staff members to confirm\n                                                                  that a form was on file for the\n                                                                  DDRS development staff with\n                                                                  access to the Oracle Versioning\n                                                                  System.\n\n                                                                  Requested access forms to\n                                                                  confirm that a form was on file\n                                                                  for DDRS development staff\n                                                                  with access to the PVCS.\n\n                                                        104\n\x0cCO\n              Control Objective                       Control Activity                         Test Procedure                     Results of Testing\nNo.\n\n                                           DFAS-Indianapolis                           DFAS-Indianapolis                  DFAS-Indianapolis\n                                           The SAAR form documents the need for        Inquired of the DDRS Project       One of six SAAR forms for DBAs\n                                           the individual to access the system. The    Manager and the lead DBA of        did not have the justification for\n                                           developers define the roles required for    the process for granting the       access completed on the SAAR\n                                           the individual job responsibilities and     DBA access to DDRS.                form.\n                                           the Oracle role is the catalyst for those\n                                           permissions defined within the              Inspected all six SAAR forms to    None of the six SAAR forms\n                                           application. These roles are                confirm that a form was on file    inspected for DBAs had the\n                                           subsequently granted to the individual      for the DBAs with access to        signatures of the Functional Data\n                                           user when access to the application is      DDRS.                              Owner and Information Assurance\n                                           granted.                                                                       Officer.\n                                                                                       Inquired of the end user account\n                                                                                       administrator regarding DDRS       One of six DBAs approved his\n                                                                                       end user account creation,         own SAAR form.\n                                                                                       modification, deletion, and\n                                                                                       password reset process.\n\n82    Active supervision and review are    DISA DECC-Ogden                             DISA DECC-Ogden                    DISA DECC-Ogden\n      provided for all system management   Personnel actions are reviewed by           Read the DISA DECC-Ogden           No relevant exceptions noted.\n      personnel.                           management structure of PMO Team            organizational chart to confirm\n                                           Leads, Branch Chief, Division Chief,        that a management structure was\n                                           Deputy Director, and Director.              documented.\n\n                                                                                       Read position descriptions of\n                                                                                       DDRS support personnel to\n                                                                                       confirm supervisory\n                                                                                       responsibilities were\n                                                                                       documented.\n\n                                           DFAS-Arlington                              DFAS-Arlington                     DFAS-Arlington\n                                           The immediate and second level              Read the DFAS-Arlington            No relevant exceptions noted.\n                                           supervisors review and sign the             organizational chart to confirm\n                                           performance standards and performance       that a management structure was\n                                           appraisals for all employees.               documented.\n                                           Contractors provide status reports that\n                                           are reviewed by the Program Manager.        Read position descriptions of\n                                           In addition, within the PMO,                DDRS support personnel to\n\n                                                                          105\n\x0cCO\n      Control Objective               Control Activity                         Test Procedure                   Results of Testing\nNo.\n                          government employees and contract            confirm supervisory\n                          staff work as a team in close                responsibilities were\n                          coordination with the program manager.       documented.\n\n                          DFAS-Cleveland                               DFAS-Cleveland                    DFAS-Cleveland\n                          Every DFAS-Cleveland employee has a          Read the DFAS-Cleveland           No relevant exceptions noted.\n                          local supervisor that they report to. This   organizational chart to confirm\n                          supervisor performs annual performance       that a management structure was\n                          reviews.                                     documented.\n\n                                                                       Read position descriptions of\n                                                                       DDRS support personnel to\n                                                                       confirm supervisory\n                                                                       responsibilities were\n                                                                       documented.\n\n                          DFAS-Indianapolis                            DFAS-Indianapolis                 DFAS-Indianapolis\n                          Annual reviews are conducted for             Read the DFAS-Indianapolis        No relevant exceptions noted.\n                          government employees by the                  organizational chart to confirm\n                          employee\xe2\x80\x99s supervisor. The Federal           that a management structure was\n                          Government conducts reviews of               documented.\n                          contractors.\n                                                                       Read position descriptions of\n                                                                       DDRS support personnel to\n                                                                       confirm supervisory\n                                                                       responsibilities were\n                                                                       documented.\n\n\n\n\n                                                          106\n\x0cDDRS-Audited Financial Statements Module\nCO\n               Control Objective                         Control Activity                      Test Procedure                       Results of Testing\nNo.\n1     Financial Statements\n      Controls provide reasonable             1. DoD Reporting policy ensures that     Read DFAS policies pertaining        DFAS-Arlington\n      assurance that financial statements     the financial statements include all     to the preparation of financial      Policies related to the preparation\n      and related footnotes are produced in   reportable items and related footnotes   statements and footnotes to          of financial statements and\n      conformance with the reporting          include all required disclosures in      determine whether they               footnote disclosures did not\n      requirements of Financial Accounting    accordance with FASAB, OMB 01-09,        conformed to OMB, Treasury           provide for the reporting and\n      Standards Advisory Board (FASAB),       and Treasury requirements.               and FASAB reporting                  disclosure of accounting\n      Office of Management and Budget                                                  requirements.                        information required by the\n      (OMB) Bulletin No. 01-09, Form and                                                                                    Federal Accounting Standards\n      Content of Agency Financial                                                      Compared the DoD financial           Advisory Board (FASAB) and\n      Statements (OMB Bulletin No. 01-                                                 statement footnotes appearing in     Office of Management and Budget\n      09,) and the Department of the                                                   FY 2004 Performance and              (OMB) Bulletin 01-09 as follows:\n      Treasury, Financial Management                                                   Accountability Report to the         1) The Statement of Net Cost was\n      Service (Treasury.)                                                              Government Accountability            not presented by program.\n                                                                                       Office\xe2\x80\x99s \xe2\x80\x9cChecklist for Federal      2) The value of Property in hands\n      Controls provide reasonable                                                      Accounting, Reporting and            of contractors was not reported.\n      assurance that financial statements                                              Disclosure\xe2\x80\x9d to determine             3) Property Plant & Equipment\n      report all material financial                                                    whether footnotes included all       requirements change for Statement\n      information required by FASAB,                                                   required disclosures in              of Federal Financial Accounting\n      Treasury and OMB, and that                                                       accordance with FASAB, and           Standard 23 had not yet been\n      automated totals in the financial                                                OMB Bulletin No. 01-09.              implemented.\n      statements are appropriately                                                                                          4) Trading Partner elimination\n      calculated.                                                                      Analyzed DoD Fiscal Year 2005        amounts were not corroborated by\n                                                                                       Quarter 1 (FY 05 Q1) financial       the buyer entity.\n                                                                                       statements to determine whether      5) The methodology used to value\n                                                                                       issues identified in the DoD FY      Deferred Maintenance was not\n                                                                                       04 financial statements were still   disclosed in the footnotes.\n                                                                                       valid at FY 05 Q1.                   6) The value of Heritage Assets,\n                                                                                                                            seized property, certain categories\n                                                                                       Inspected the contents of the        of operating materials and\n                                                                                       Confirmation Letter issued by        supplies, non-exchange custodial\n                                                                                       the customer to signify the          revenue, and restrictions pertaining\n                                                                                       review and acceptance of the         to unobligated balances were not\n                                                                                       financial statements prepared by     disclosed.\n                                                                                       DFAS.\n\n                                                                            107\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                       Results of Testing\nNo.\n\n                                                                    Confirmed, through\n                                                                    corroborative inquiry, that\n                                                                    footnotes included all required\n                                                                    disclosures in accordance with\n                                                                    FASAB, and OMB Bulletin No.\n                                                                    01-09.\n\n                          2. Templates are used to produce          Compared the DDRS-AFS                DFAS-Arlington\n                          financial statements in conformance       financial statement templates,       A formal system was not in place\n                          with United States Standard General       Chart of Accounts, and account       to identify differences between the\n                          Ledger (USSGL) -Supplement No. S2         attributes to the USSGL for          DDRS-AFS report maps with\n                          of the Treasury Financial Manual.         consistency.                         USSGL crosswalks, and the\n                          for the following statements:                                                  reasons for those differences.\n                          1) Balance Sheet.                         Confirmed, through\n                          2) Statement of Net Cost.                 corroborative inquiry, that          Furthermore, the mapping of\n                          3) Statement of Changes in Net            templates were used to produce       accounts used for the preparation\n                          Position.                                 financial statements and related     of the Statement of Custodial\n                          4) Statement of Budgetary Resources.      footnotes in conformance with        Activity did not conform to\n                          5) Statement of Financing.                the USSGL.                           Treasury requirements, and\n                          6) Statement of Custodial Activity,                                            accounts with the custodial\n                          when applicable.                                                               attribute were improperly mapped\n                                                                                                         to the Statement of Changes in Net\n                                                                                                         Position.\n\n                          3. Automated totals are used within       Recalculated the FY 04 DoD,          DFAS-Arlington\n                          financial statement templates to ensure   consolidated financial               No relevant exceptions noted.\n                          that financial statement sub-totals and   statements subtotals and totals to\n                          totals are mathematically correct.        determine whether line item          DFAS-Cleveland\n                                                                    amounts accurately summed to         No relevant exceptions noted.\n                                                                    their respective subtotals and\n                                                                    totals, and that consolidating\n                                                                    statements summed to DoD-\n                                                                    wide consolidated statements.\n\n                                                                    Confirmed, through\n                                                                    corroborative inquiry, that\n                                                                    automated totals within the\n\n                                                         108\n\x0cCO\n      Control Objective               Control Activity                         Test Procedure                       Results of Testing\nNo.\n                                                                       templates appropriately\n                                                                       summarized the financial\n                                                                       statement line items and that\n                                                                       sub-totals and totals are\n                                                                       mathematically correct.\n\n                          4. DDRS-AFS system design and other          Reviewed footnote editing            DFAS-Arlington\n                          related procedures ensure that footnote      process in DDRS-AFS to               DFAS-Cleveland\n                          schedule totals agree to the applicable      determine whether the final\n                          line items in the statements, and the        version of the narrative was         Users could inadvertently\n                          associated narrative is properly reflected   carried forward to the financial     overwrite the footnotes of another\n                          in the footnote disclosures.                 statements.                          entity processed by the same\n                                                                                                            DFAS center, or overwrite each\n                                                                       Inspected the DDRS-AFS               other\xe2\x80\x99s footnote edits within the\n                                                                       generated \xe2\x80\x9cFootnote to               same entity. However, mitigating\n                                                                       Statement\xe2\x80\x9d reconciliation reports    controls were in place because the\n                                                                       for differences between financial    footnote narratives were reviewed\n                                                                       statement line items and             by the customer to ensure that the\n                                                                       footnote totals.                     content of the footnote was\n                                                                                                            complete as evidenced in the\n                                                                       Confirmed, through                   completed Standard Guidance\n                                                                       corroborative inquiry, that the      Checklist and customer\xe2\x80\x99s issuance\n                                                                       footnote narrative prepared in       of the Confirmation Letter. Thus,\n                                                                       DDRS-AFS is carried forward to       the control activity and the\n                                                                       the footnotes in the final version   associated mitigating controls\n                                                                       of the financial statements.         supported the control objective.\n\n\n\n\n                                                          109\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                      Results of Testing\nNo.\n                          5. Reporting and accounting guidance is    Inspected relevant policies,         DFAS-Arlington\n                          prepared by DFAS-Arlington and             current FASAB reporting              No relevant exceptions noted.\n                          disseminated to DFAS Centers to ensure     requirements, and relevant\n                          that staff receives adequate training on   FASAB accounting treatments\n                          the use of DDRS-AFS, and maintain          to determine whether they were\n                          their knowledge of FASAB and DoD           included in the Quarterly\n                          reporting requirements.                    Guidance.\n\n                                                                     Obtained e-mail distribution lists\n                                                                     to determine whether DFAS-\n                                                                     Arlington distributed the\n                                                                     Quarterly Guidance to DFAS\n                                                                     centers.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that the\n                                                                     staff were adequately trained to\n                                                                     maintain their knowledge of\n                                                                     DDRS-AFS processes and\n                                                                     FASAB reporting requirements.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that\n                                                                     DDRS-AFS communicated\n                                                                     FASAB and reporting\n                                                                     requirements.\n\n\n\n\n                                                        110\n\x0cCO\n      Control Objective               Control Activity                        Test Procedure                      Results of Testing\nNo.\n                          6. Procedures are implemented to ensure     Confirmed, through observation,     DFAS-Arlington\n                          that DDRS-AFS financial statements are      that the DFAS centers:              DFAS-Cleveland\n                          internally consistent and that the proper   - Prepared the reconciliation       DFAS-Indianapolis\n                          budgetary and proprietary accounting        reports as required by DFAS-        DFAS-Columbus\n                          relationships are established.              Arlington to ensure that            DFAS-Denver\n                                                                      financial statements are\n                                                                      consistent and that the proper      The reconciliation process\n                                                                      budgetary and proprietary           frequently resulted in adjustments\n                                                                      relationships are established,      to force agreement between data\n                                                                      - Explained unresolved              sources rather than to facilitate an\n                                                                      reconciling items, and              analysis of the differences at the\n                                                                      - Submitted explanations to         transaction level. Secondly, a\n                                                                      DFAS-Arlington as required by       policy to provide feedback to the\n                                                                      the Quarterly Guidance.             client so that erroneous data\n                                                                                                          causing the reconciliation\n                                                                      Confirmed, through                  differences could be corrected was\n                                                                      corroborative inquiry, that         not in place.\n                                                                      DDRS-AFS financial statements\n                                                                      were consistent with that of the\n                                                                      USSGL as published by the U.S.\n                                                                      Treasury.\n\n                          7. Prior to each reporting period or on a   Confirmed, through                  DFAS-Arlington\n                          periodic basis, the DDRS-AFS Chart of       corroborative inquiry with          No relevant exceptions noted.\n                          Accounts and report maps are updated        DFAS-Arlington management,\n                          to reflect changes in the USSGL Chart       that periodic reviews of the\n                          of Accounts and financial statement         DDRS Chart of Accounts and\n                          crosswalks.                                 report maps are performed.\n\n                                                                      Confirmed, through\n                                                                      corroborative inquiry, that prior\n                                                                      to each reporting period or on a\n                                                                      periodic basis, the USSGL was\n                                                                      reviewed for changes applicable\n                                                                      to the DDRS-AFS module Chart\n                                                                      of Accounts.\n\n\n\n                                                          111\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                      Results of Testing\nNo.\n                          8. Controls ensure that the balances        Inspected the trial balance         DFAS-Arlington\n                          represented in the financial statements     import sheet to determine if data   DFAS-Cleveland\n                          are based on the current reporting          checks were enabled to allow        DFAS-Indianapolis\n                          period.                                     DDRS-AFS to confirm that the        DFAS-Columbus\n                                                                      period for which trial balance      DFAS-Denver\n                                                                      information was being imported\n                                                                      was the current reporting period.   Information contained on the\n                                                                                                          Microsoft Excel trial balance\n                                                                      Confirmed, through                  import sheets did not indicate the\n                                                                      corroborative inquiry, that the     quarterly reporting period that the\n                                                                      balances represented in the         uploaded information pertained to.\n                                                                      financial statements were based     However, as a mitigating control,\n                                                                      on the proper reporting period.     the local unique process to prepare\n                                                                                                          balances for import into DDRS-\n                                                                                                          AFS contained controls to ensure\n                                                                                                          that the balances are being\n                                                                                                          imported for the current reporting\n                                                                                                          period. Additionally, variation\n                                                                                                          analysis would detect an incorrect\n                                                                                                          upload that was not related to the\n                                                                                                          current period. Thus, the control\n                                                                                                          activity and the associated\n                                                                                                          mitigating control supported the\n                                                                                                          control objective.\n\n                          9. DFAS procedures are implemented to       Inspected database controls to      DFAS-Arlington\n                          ensure that the DDRS-AFS module\xe2\x80\x99s           determine whether a database        DFAS-Cleveland\n                          database is recalculated automatically or   recalculation was manually\n                          manually initiated prior to issuing the     initiated in DDRS-AFS prior to      Although the database\n                          financial statements for the current        issuing financial statements in     recalculation was manually\n                          reporting period.                           the DDRS-AFS module.                initiated in DDRS-AFS, there were\n                                                                                                          no systematic controls to\n                                                                      Confirmed, through                  automatically perform the\n                                                                      corroborative inquiry, that a       reconciliation prior to producing\n                                                                      database recalculation was          financial statements. However, a\n                                                                      manually performed prior to         mitigating control was in place\n                                                                      issuing the financial statements    because each center periodically\n                                                                      for the current reporting period.   performed an entity level\n\n                                                         112\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                      Results of Testing\nNo.\n                                                                                                          recalculation and the PMO\n                                                                                                          periodically performed an agency\n                                                                                                          wide level recalculation.\n\n                          10. DDRS-AFS is programmed to               Analyzed DDRS-AFS reports           DFAS-Arlington\n                          ensure that trading partner eliminations    and screen shots to determine       DFAS-Cleveland\n                          are performed at the appropriate level      whether amounts appearing on        DFAS-Indianapolis\n                          (e.g. fund, component or agency wide)       trading partner import sheets       DFAS-Columbus\n                          and that balances in the accounts that      were carried to the elimination     DFAS-Denver\n                          record trading partner activity are         column of the consolidating\n                          properly eliminated.                        Balance Sheet and Statement of      No relevant exceptions noted.\n                                                                      Net Cost.\n\n                                                                      Confirmed, through\n                                                                      corroborative inquiry, that\n                                                                      trading partner eliminations\n                                                                      were performed at the\n                                                                      appropriate level and that\n                                                                      balances in the accounts that\n                                                                      record trading partner activity\n                                                                      are properly eliminated.\n\n                          11. DDRS-AFS applications controls          Inspected reconciliation reports    Although DFAS Centers\n                          are designed to ensure that the ending      that DFAS-Arlington required of     periodically reviewed user access\n                          balances for the prior fiscal year become   DFAS centers for FY 04 and FY       roles for appropriateness, some of\n                          the beginning balances for the current      05 Q1 to determine whether the      the DFAS Centers had a\n                          fiscal year for all real accounts, and      reconciliation between Prior        questionable number of users\n                          reporting in subsequent periods does not    Year ending balances and            assigned the HQSA role.\n                          affect these balances unless proper         Current Year beginning balances     Specifically:\n                          authorization is granted.                   was performed and showed no         - DFAS-Arlington had 13 users\n                                                                      differences between ending and      assigned the HQSA role.\n                                                                      beginning balances.                 - DFAS-Denver had 10 users\n                                                                                                          assigned the HQSA role.\n                                                                      Observed that balances for each     - DFAS-Columbus had 17 users\n                                                                      quarter were cumulative and did     assigned the HQSA.\n                                                                      not affect the beginning balance.\n                                                                                                          However, as a mitigating control,\n                                                                                                          the Centers periodically review the\n\n                                                         113\n\x0cCO\n      Control Objective   Control Activity                 Test Procedure                       Results of Testing\nNo.\n                                                   Selected financial statement         user access roles to determine if\n                                                   account line item balances and       access is appropriate.\n                                                   determined that the ending\n                                                   balance at FY 04 became the          Out of 162 total SAAR forms\n                                                   beginning balance for the next       tested for all DDRS-AFS users,\n                                                   year.                                eight related to users of the\n                                                                                        DDRS_CFO_BEGINNING_BAL\n                                                   Selected a random sample of          role which provides users with this\n                                                   DFAS-AFS users to determine if       role the ability to adjust beginning\n                                                   System Authorization Access          balances in DDRS-AFS. Of these\n                                                   Request (SAAR) forms matched         eight users:\n                                                   the access provided.                 - Six users had a SAAR form on\n                                                                                        file dated prior to 2004, which did\n                                                   Inspected a list of DDRS-AFS         not provide enough detail to\n                                                   users assigned the beginning         indicate the user role or DFAS\n                                                   balance modification role, and       center to which access should be\n                                                   the Headquarters Security            granted.\n                                                   Administrator (HQSA) role, to        - One user had a post 2004 SAAR\n                                                   determine whether this access        form on file, but the specific role\n                                                   was appropriate for their job        did not exist on the SAAR form.\n                                                   responsibilities. HQSA is a          - One user had a post 2004 SAAR\n                                                   powerful role that, while            form on file, but the specific role\n                                                   necessary on a limited basis,        was not indicated on the form.\n                                                   does not encompass the\n                                                   principles of separation of duties   Out of 162 total SAAR forms\n                                                   and least privilege.                 tested for all DDRS-AFS users, 12\n                                                                                        related to users of the\n                                                   Inspected e-mail traffic to          DDRS_CFO_HQSA role which\n                                                   confirm that DFAS Centers            provides users with this role the\n                                                   periodically review user access      ability to assign and remove roles\n                                                   for appropriateness.                 in DDRS-AFS. Of these 12 users:\n                                                                                        - Nine users had a SAAR form on\n                                                   Confirmed, through                   file dated prior to 2004, which did\n                                                   corroborative inquiry, that the      not provide enough detail to\n                                                   ending balances at FY 04             indicate the user role or DFAS\n                                                   became the beginning balances        center to which access should be\n                                                   for the next year, and that          granted;\n                                                   balances could not be altered\n\n                                             114\n\x0cCO\n      Control Objective   Control Activity                 Test Procedure           Results of Testing\nNo.\n                                                   without authorization.   - Two users had a post 2004\n                                                                            SAAR form on file, but the\n                                                                            DDRS-AFS role granted on the\n                                                                            form did not match access\n                                                                            provided in DDRS-AFS; and,\n                                                                            - One user did not have a SAAR\n                                                                            form available.\n\n                                                                            However, DFAS Centers\n                                                                            periodically reviewed user access\n                                                                            roles but did not determine\n                                                                            whether these 12 HQSA users\n                                                                            were appropriate.\n\n                                                                            DFAS-Arlington\n                                                                            Out of 24 users with the beginning\n                                                                            balance modification role, 23 of\n                                                                            them did not require this role to\n                                                                            perform their job responsibilities.\n                                                                            The SAAR form used for DDRS-\n                                                                            AFS prior to 2004 did not include\n                                                                            specific role categories for which a\n                                                                            user had been authorized.\n\n                                                                            DFAS-Denver\n                                                                            A systems developer was assigned\n                                                                            access to the production\n                                                                            environment as a HQSA, which\n                                                                            creates segregation of duties risks.\n                                                                            The HQSA role can add, change,\n                                                                            and delete information.\n\n\n\n\n                                             115\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                     Results of Testing\nNo.\n                          12. The design of DDRS-AFS in             Recalculated financial statement   DFAS-Cleveland\n                          conjunction with manual procedures        line items using the data in the   DFAS-Indianapolis\n                          ensures that the FACTS 1 file submitted   FACTS 1 file submitted to          DFAS-Columbus\n                          to Treasury is consistent with the        Treasury for FY 04 to determine    DFAS-Denver\n                          amounts reported in the financial         whether the file agreed to the\n                          statements.                               financial statements.              Management did not sign-off on\n                                                                                                       the FACTS 1 file or on the\n                                                                    Confirmed, through                 Treasury confirmation of a\n                                                                    corroborative inquiry, that the    successful upload as evidence that\n                                                                    FY 04 FACTS 1 file submitted       a review was performed before or\n                                                                    to Treasury was consistent with    after submission to Treasury.\n                                                                    the FY04 financial statements.     Additionally, DDRS-AFS\n                                                                                                       produced an incorrect Treasury\n                                                                                                       symbol for DoD Working Capital\n                                                                                                       Funds and personnel had to\n                                                                                                       manually change the text file\n                                                                                                       before transmission. At DFAS-\n                                                                                                       Denver, however, as a mitigating\n                                                                                                       control, personnel ensured that the\n                                                                                                       text file balanced before\n                                                                                                       transmission to Treasury, and they\n                                                                                                       maintained the Treasury\n                                                                                                       confirmation of a successful\n                                                                                                       upload in their records.\n\n\n\n\n                                                        116\n\x0cCO\n      Control Objective             Control Activity                      Test Procedure                    Results of Testing\nNo.\n                          13. The DDRS-AFS generated               Inspected the series of           DFAS-Arlington\n                          Statement of Budgetary Resources is      reconciliation reports that       DFAS-Cleveland\n                          reconciled to the Report on Budget       DFAS-Arlington requires of        DFAS-Indianapolis\n                          Execution and Budgetary Resources        DFAS centers for FY 04 and FY     DFAS-Columbus\n                          (SF-133) to ensure that DDRS-AFS is in   05 Q1 to determine whether the    DFAS-Denver\n                          agreement with the budgetary system      reconciliation between\n                          which prepares the SF-133 on a monthly   Statement of Budgetary            Although the SF-133 and\n                          basis.                                   Resources and Report on Budget    Statement of Budgetary Resources\n                                                                   Execution and Budgetary           reconciliation was performed,\n                                                                   Resources (SF-133.) was           management did not sign off on\n                                                                   performed and differences were    the reconciliation reports\n                                                                   explained.                        evidencing a review before they\n                                                                                                     were submitted to DFAS-\n                                                                   Confirmed, through                Arlington.\n                                                                   corroborative inquiry, that the\n                                                                   Statement of Budgetary\n                                                                   Resources is reconciled to the\n                                                                   Report on Budget Execution and\n                                                                   Budgetary Resources (SF-133)\n                                                                   to ensure that DDRS-AFS is in\n                                                                   agreement with the budgetary\n                                                                   system, which prepares the\n                                                                   SF-133 on a monthly basis.\n\n\n\n\n                                                       117\n\x0cCO\n                Control Objective                           Control Activity                        Test Procedure                      Results of Testing\nNo.\n2     Audit Trails\n      Controls provide reasonable                1. DDRS-AFS has the capability to          Used hyperlinks embedded in         DFAS-Cleveland\n      assurance that DDRS-AFS produces           allow users to view the components of      the DDRS-AFS final trial            No relevant exceptions noted\n      financial statements that are              financial statement line items at the      balance supporting the financial\n      supported by audit trails that are         various levels of consolidation \xe2\x80\x93 from     statements to view and trace the\n      adequate for the financial                 the reporting \xe2\x80\x9centity\xe2\x80\x9d level to the        components of line items,\n      management entity and external             \xe2\x80\x9cprogram\xe2\x80\x9d level where information is       including Journal Voucher\n      auditors to trace amounts reported in      originally input.                          adjustments, from the entity\n      the financial statement back to trial                                                 level of consolidation back to\n      balances and data from feeder                                                         the program level where trial\n      systems. Controls provide                                                             balance was originally entered\n      reasonable assurance that audit trails                                                either manually or uploaded\n      indicate the user inputting the trial                                                 using \xe2\x80\x9cimport sheets\xe2\x80\x9d created in\n      balance and the user approving the                                                    Microsoft Excel.\n      trial balance. All audit trails indicate\n      the user inputting the Journal                                                        Confirmed, through\n      Voucher and the user approving the                                                    corroborative inquiry, that\n      Journal Voucher. Audit trails are                                                     components of financial\n      reviewed on a regular basis for                                                       statement line item amounts may\n      appropriateness.                                                                      be viewed at the entity, sub-\n                                                                                            entity, program group, and\n                                                                                            program level.\n                                                 2. Balances entered into DDRS-AFS          Obtained a random sample of         DFAS-Cleveland\n                                                 either (1) manually, or (2) imported via   trial balance upload system audit   Although trial balance deletions\n                                                 Microsoft Excel import sheets, or (3)      trails to determine whether they    were recorded in the audit log with\n                                                 imported from the Data Collection          contained username, date, and       a date, time, and user ID, there was\n                                                 Module (DCM) are supported by system       time of uploads into DDRS-          no entry in the log indicating the\n                                                 audit trails.                              AFS.                                original deleted trial balance\n                                                                                                                                amounts.\n                                                                                            Confirmed, through\n                                                                                            corroborative inquiry, that\n                                                                                            balances entered into DDRS-\n                                                                                            AFS (1) manually, or (2)\n                                                                                            imported via Microsoft Excel\n                                                                                            import sheets, or (3) imported\n                                                                                            from the DCM, are supported by\n                                                                                            systems audit trails.\n\n                                                                               118\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                      Results of Testing\nNo.\n                          3. Journal Vouchers entered into DDRS-    Inspected the Journal Voucher       DFAS-Cleveland\n                          AFS are supported by audit trails         system audit log in DDRS-AFS        An audit trail was not established\n                          indicating (1) the User ID entering the   to determine whether Journal        for Journal Vouchers which were\n                          Journal Voucher (2) the User ID           Vouchers were supported by          deleted as a part of the trial\n                          approving the journal, and (3) the date   audit trails indicating the User    balance deletion function.\n                          and time when the Journal Voucher was     ID entering the Journal Voucher     Additionally, the audit trail for\n                          entered and posted.                       and the User ID approving the       cancelled Journal Vouchers did not\n                                                                    Journal Voucher, and the dates      display the user who performed the\n                                                                    and times of entry and approval.    cancellation, nor the date or reason\n                                                                                                        for the cancellation. Lastly, the\n                                                                    Confirmed, through                  DDRS Journal Voucher log which\n                                                                    corroborative inquiry, that         was exported into Microsoft Excel\n                                                                    Journal Vouchers entered in         for analysis did not accurately\n                                                                    DDRS-AFS were supported by          display the Journal Voucher\n                                                                    audit trails indicating the User    approval identification, although\n                                                                    ID entering the Journal Voucher,    the Journal Voucher unique\n                                                                    the User ID approving the           identifier control number was\n                                                                    Journal Voucher, and the dates      correctly displayed. However, as a\n                                                                    and times of entry and approval.    mitigating control, the approval\n                                                                                                        identification displayed properly in\n                                                                                                        Microsoft Word and Adobe\n                                                                                                        Acrobat. Thus, the control\n                                                                                                        activities and the associated\n                                                                                                        mitigating controls supported the\n                                                                                                        control objective.\n\n                          4. Audit trails in DDRS-AFS are           Inspected audit trails at each      DFAS-Cleveland\n                          periodically reviewed for                 center to determine whether         DFAS-Columbus\n                          appropriateness and unusual activity on   signoffs existed to confirm audit   DFAS-Indianapolis\n                          a quarterly basis.                        trails were reviewed.               DFAS-Denver\n\n                                                                    Confirmed, through                  System audit logs are not regularly\n                                                                    corroborative inquiry that, audit   reviewed. Secondly, a report\n                                                                    trails in DDRS-AFS were             which would facilitate a review of\n                                                                    reviewed for appropriateness        the audit log pertaining to footnote\n                                                                    and unusual activity on a           uploads was not implemented\n                                                                    quarterly basis.                    during the period covered by our\n                                                                                                        testwork but was subsequently\n\n                                                        119\n\x0cCO\n               Control Objective                          Control Activity                        Test Procedure                     Results of Testing\nNo.\n                                                                                                                             implemented in March. However,\n                                                                                                                             we were unable to confirm that the\n                                                                                                                             footnote audit logs were reviewed\n                                                                                                                             in the reporting period following\n                                                                                                                             their implementation.\n\n                                              5. Deleted trial balances and associated    Inspected trial balance deletion   DFAS-Cleveland\n                                              deleted Journal Vouchers are recorded       logs to determine whether          DDRS-AFS did not maintain a\n                                              with the User ID, date, and time they       deleted trial balances and         history of the detail of trial balance\n                                              were deleted.                               deleted journal entries were       deletions and the associated\n                                                                                          recorded with the User ID, date    deleted Journal Vouchers that may\n                                                                                          and time deleted.                  have been posted to the trial\n                                                                                                                             balance prior to deletion.\n                                                                                          Confirmed, through\n                                                                                          corroborative inquiry, that all\n                                                                                          deleted trial balances and\n                                                                                          associated journal entries were\n                                                                                          recorded with the User ID, date\n                                                                                          and time deleted.\n\n3     Journal Vouchers\n      Controls provide reasonable             1. Procedures are in place to ensure that   Selected a random sample of        DFAS-Arlington\n      assurance that Journal Vouchers         the Journal Voucher package is              Journal Vouchers to determine      DFAS-Cleveland\n      are:                                    reviewed for adequacy and approved          whether they were supported by     DFAS-Indianapolis\n      - supported by adequate                 prior to entry into DDRS-AFS.               adequate documentation and,        DFAS-Columbus\n      documentation, and approved prior to                                                approved prior to entry into       DFAS-Denver\n      entry into a DDRS-AFS table;                                                        DDRS-AFS.\n      - processed with the duties of                                                                                         Adherence to the FMR Journal\n      preparation and approval being                                                      Confirmed, through                 Voucher approval policy was\n      properly segregated; and,                                                           corroborative inquiry, that        inconsistent across the DFAS\n      -in balance prior to entry into DDRS.                                               Journal Vouchers were reviewed     centers. DFAS Directors were\n                                                                                          for adequate documentation, and    designated by the FMR to approve\n                                                                                          approved prior to entry into       Journal Vouchers in excess of one\n                                                                                          DDRS-AFS.                          billion dollars. Although Journal\n                                                                                                                             Voucher packages were reviewed\n                                                                                                                             by management before entry into\n                                                                                                                             DDRS-AFS, the FMR requirement\n\n                                                                              120\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                   Results of Testing\nNo.\n                                                                                                      that Journal Vouchers in excess of\n                                                                                                      one billion dollars be specifically\n                                                                                                      approved by the Director prior to\n                                                                                                      entry was not always adhered to in\n                                                                                                      a timely manner.\n\n                                                                                                      C, I, and E categories of Journal\n                                                                                                      Vouchers which facilitate\n                                                                                                      agreement between the financial\n                                                                                                      statements and internal or external\n                                                                                                      reports, or to facilitate proper\n                                                                                                      trading partner elimination, were\n                                                                                                      not supported by a transaction\n                                                                                                      level analysis. Thus, the amounts\n                                                                                                      appearing in the Journal Voucher\n                                                                                                      were mainly differences between\n                                                                                                      select line items in the statements\n                                                                                                      at the reporting level, or a simple\n                                                                                                      adjustment of buyer side data to\n                                                                                                      seller-side data without\n                                                                                                      reconciliation between both buyer\n                                                                                                      and seller data.\n\n                          2. User roles are established to ensure    Selected a random sample of      Although DFAS Centers\n                          that Journal Vouchers are approved by      DFAS-AFS users to determine if   periodically reviewed user access\n                          an individual other than who is entering   SAAR forms matched the access    roles for appropriateness, some of\n                          the Journal Voucher and who has            provided.                        the DFAS Centers had a\n                          authority to approve the Journal                                            questionable number of users\n                          Voucher and the ability to enter or        Inspected a list of DDRS-AFS     assigned the HQSA role.\n                          modify information contained in a          users assigned the Journal       Specifically:\n                          Journal Voucher is restricted to           Voucher approver role, and the\n                          authorized personnel.                      HQSA role, to determine          - DFAS-Arlington had 13 users\n                                                                     whether this access was          assigned the HQSA role.\n                                                                     appropriate for their job        - DFAS-Denver had 10 users\n                                                                     responsibilities. HQSA is a      assigned the HQSA role.\n                                                                     powerful role that, while        - DFAS-Columbus had 17 users\n                                                                     necessary on a limited basis,    assigned the HQSA role.\n                                                                     does not encompass the\n\n                                                         121\n\x0cCO\n      Control Objective   Control Activity                 Test Procedure                       Results of Testing\nNo.\n                                                   principles of separation of duties   Controls were designed to provide\n                                                   and least privileges.                for access to DDRS-AFS on a\n                                                                                        center-level basis, instead of by\n                                                   Inspected e-mail traffic to          responsible work area. As such,\n                                                   confirm that DFAS Centers            the user may have access to\n                                                   periodically review user access      information that they don\xe2\x80\x99t\n                                                   for appropriateness.                 necessarily need.\n\n                                                   Inspected DDRS-AFS system            Out of 162 total SAAR forms\n                                                   audit logs and system controls to    tested for all DDRS-AFS users, 27\n                                                   determine whether users could        related to users of the\n                                                   approve their own Journal            DDRS_CFO_JV_CREATOR role\n                                                   Vouchers.                            which provides users with this role\n                                                                                        the ability to create Journal\n                                                   Confirmed, through                   Vouchers in DDRS-AFS. Of\n                                                   corroborative inquiry, that          these 27 users:\n                                                   Journal Vouchers were approved       - Ten users had a SAAR form on\n                                                   by an individual other than the      file dated prior to 2004, which did\n                                                   individual who entered the           not provide enough detail to\n                                                   Journal Voucher.                     indicate the user role or DFAS\n                                                   Confirmed, through                   center to which access should be\n                                                   corroborative inquiry, that the      granted;\n                                                   ability to enter or modify\n                                                   information contained in a           - Ten users had a post 2004 SAAR\n                                                   Journal Voucher was restricted       form on file, but the specific role\n                                                   to authorized personnel.             was not indicated on the form;\n                                                                                        - One user had a post 2004 SAAR\n                                                                                        form on file, but the DDRS-AFS\n                                                                                        role granted on the form did not\n                                                                                        match access provided in DDRS-\n                                                                                        AFS and,\n                                                                                        - Two users were missing one or\n                                                                                        more required signatures.\n\n                                                                                        However, DFAS Centers\n                                                                                        periodically reviewed user access\n                                                                                        roles for appropriateness.\n\n\n                                             122\n\x0cCO\n      Control Objective   Control Activity         Test Procedure           Results of Testing\nNo.\n                                                                    Out of 162 total SAAR forms\n                                                                    tested for all DDRS-AFS users, 19\n                                                                    related to users of the\n                                                                    DDRS_CFO_JV_APPROVER\n                                                                    roles which provide users with\n                                                                    these roles the ability to approve\n                                                                    Journal Vouchers at different\n                                                                    levels in DDRS-AFS. Of these 19\n                                                                    users:\n                                                                    - Nine users had a SAAR form on\n                                                                    file dated prior to 2004, which did\n                                                                    not provide enough detail to\n                                                                    indicate the user role or DFAS\n                                                                    center to which access should be\n                                                                    granted;\n                                                                    - One user had a post 2004 SAAR\n                                                                    form on file, but the specific role\n                                                                    did not exist on the SAAR form;\n                                                                    - One user had a post 2004 SAAR\n                                                                    form on file, but the specific role\n                                                                    was not indicated on the form; and,\n                                                                    - Two users had a post 2004\n                                                                    SAAR form on file, but the\n                                                                    DDRS-AFS role granted on the\n                                                                    form did not match access\n                                                                    provided in DDRS-AFS.\n\n                                                                    However, DFAS Centers\n                                                                    periodically reviewed user access\n                                                                    roles for appropriateness.\n\n                                                                    Out of 162 total SAAR forms\n                                                                    tested for all DDRS-AFS users, 12\n                                                                    related to users of the\n                                                                    DDRS_CFO_HQSA role which\n                                                                    provides users with this role the\n                                                                    ability to assign and remove roles\n                                                                    in DDRS-AFS. Of these 12 users:\n\n                                             123\n\x0cCO\n      Control Objective   Control Activity         Test Procedure           Results of Testing\nNo.\n                                                                    - Nine users had a SAAR form on\n                                                                    file dated prior to 2004, which did\n                                                                    not provide enough detail to\n                                                                    indicate the user role or DFAS\n                                                                    center to which access should be\n                                                                    granted.\n                                                                    - Two users had a post 2004\n                                                                    SAAR form on file, but the\n                                                                    DDRS-AFS role granted on the\n                                                                    form did not match access\n                                                                    provided in DDRS-AFS.\n                                                                    - One user did not have a SAAR\n                                                                    form available.\n\n                                                                    However, DFAS Centers\n                                                                    periodically reviewed user access\n                                                                    roles for appropriateness, but did\n                                                                    not determine whether these 12\n                                                                    HQSA users were appropriate.\n\n                                                                    DFAS-Arlington\n                                                                    The DDRS-AFS SAAR form used\n                                                                    prior to 2004 did not include\n                                                                    specific role categories for which a\n                                                                    user had been authorized.\n\n                                                                    DFAS-Denver\n                                                                    A systems developer was assigned\n                                                                    access to the production\n                                                                    environment as a HQSA, which\n                                                                    creates segregation of duties risks.\n\n                                                                    At DFAS-Denver, there are two\n                                                                    individuals with a high dollar\n                                                                    value Journal Voucher approval\n                                                                    authority inconsistent with internal\n                                                                    guidance provided by the Center.\n                                                                    However, as a mitigating control,\n\n                                             124\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                   Results of Testing\nNo.\n                                                                                                       the Journal Vouchers were\n                                                                                                       approved by an appropriate\n                                                                                                       individual.\n\n\n\n                          3. DDRS-AFS application controls           Observed that an attempt to       DFAS-Cleveland\n                          prevent the processing of out-of balance   enter an out-of-balance Journal   No relevant exceptions noted.\n                          Journal Vouchers, and notify the user of   Voucher was unsuccessful and\n                          the out-of -balance condition with an      resulted in an error message\n                          error message.                             being displayed notifying the\n                                                                     user of the out-of- balance\n                                                                     condition.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that\n                                                                     DDRS-AFS will not process\n                                                                     out-of-balance Journal\n                                                                     Vouchers.\n\n                          4. DDRS-AFS is designed to ensure that     Reviewed Journal Voucher input    DFAS-Cleveland\n                          Journal Vouchers entered into DDRS-        process to determine whether      No relevant exceptions noted.\n                          AFS are included in the intended           Journal Vouchers can only be\n                          reporting period.                          input for the current period.\n\n                                                                     Traced certain Journal Vouchers\n                                                                     through DDRS-AFS to\n                                                                     determine whether the Journal\n                                                                     Vouchers update the financial\n                                                                     statements.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that the\n                                                                     Journal Vouchers entered into\n                                                                     DDRS-AFS were included in the\n                                                                     intended reporting period.\n\n\n\n                                                        125\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                       Results of Testing\nNo.\n                          5. DDRS-AFS is designed so that             Selected a random sample of          DFAS-Arlington\n                          Journal Vouchers, entered into DDRS-        Journal Vouchers entered into        Two out of forty-five Journal\n                          AFS, update all applicable general          DDRS-AFS to determine                Vouchers selected could not be\n                          ledger account balances (i.e., budgetary,   whether they updated applicable      traced to the correct trial balance\n                          proprietary and memorandum accounts)        general ledger account balances      and USSGL account because,\n                          and are included in the final trial         and were included in the final       according to the DFAS-Arlington\n                          balance numbers.                            trial balance numbers.               PMO, the server responsible for\n                                                                                                           generating the view of the trial\n                                                                                                           balance and voucher being tested\n                                                                                                           was not functioning properly and\n                                                                                                           was not repaired before our testing\n                                                                                                           concluded.\n\n                          6. DDRS-AFS PMO enables a lock-out          Inspected the system audit log       DFAS-Arlington\n                          mechanism to ensure that no                 indicating the lockout occurred      No relevant exceptions noted.\n                          adjustments are made to the trial balance   and observed that the lockout\n                          subsequent to the submission of the         mechanism was enabled prior to\n                          financial statements to OMB.                the release of the statements to\n                                                                      OMB, and that the mechanism\n                                                                      was effective in preventing\n                                                                      additional adjustments to the\n                                                                      financial statements.\n\n                                                                      Confirmed, through\n                                                                      corroborative inquiry, that the\n                                                                      DDRS-AFS PMO enables a\n                                                                      lock-out mechanism to ensure\n                                                                      that no adjustments were made\n                                                                      to the trial balance subsequent to\n                                                                      the submission of the financial\n                                                                      statements to OMB.\n\n\n\n\n                                                         126\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                      Results of Testing\nNo.\n                          7. DDRS-AFS assigns control numbers        Inspected the Journal Voucher        DFAS-Cleveland\n                          in sequence to uniquely identify Journal   log to determine whether it was      Inspection of the Journal Voucher\n                          Vouchers, and produces a sequentially      sequentially ordered and, if         log showed that some numbers\n                          ordered Journal Voucher log which can      breaks in the sequence of control    were missing from the sequence of\n                          be used to identify missing vouchers and   numbers existed, whether they        Journal Voucher numbers as a\n                          facilitate research.                       were explained.                      result of a trial balance and\n                                                                                                          associated Journal Vouchers being\n                                                                     Confirmed, through                   deleted. Additionally, the log did\n                                                                     corroborative inquiry, that          not accurately display a Journal\n                                                                     missing Journal Voucher entries      Voucher identification number due\n                                                                     are identified by inspecting the     to a programming error when\n                                                                     sequence of control numbers          exported into Microsoft Excel.\n                                                                     assigned to Journal Vouchers by\n                                                                     DDRS-AFS.\n\n                          8. Controls ensure that one-sided          Observed processing in DDRS-         DFAS-Cleveland\n                          Budgetary and one-sided Proprietary        AFS to determine whether one-        No relevant exceptions noted.\n                          transactions cannot occur.                 sided Budgetary and one-sided\n                                                                     Proprietary transactions resulted\n                                                                     in an error message and that\n                                                                     processing cannot continue.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that debits\n                                                                     equal credits for the Proprietary\n                                                                     and Budgetary accounts being\n                                                                     posted.\n\n\n\n\n                                                        127\n\x0cCO\n               Control Objective                          Control Activity                       Test Procedure                      Results of Testing\nNo.\n4     Trading Partners\n      Controls are in place to ensure that     1. Seller initiated trading partner       Obtained a random sample             DFAS-Cleveland\n      trading partner data are supported by    eliminations are automatically e-mailed   notification e-mail from DDRS-       No relevant exceptions noted.\n      adequate documentation or valid          by DDRS-AFS or otherwise provided         AFS displaying trading partner\n      estimating methodology.                  the buyer and confirmed for               notification.\n      Controls provide reasonable              appropriateness.\n      assurance that DDRS-AFS has                                                        Confirmed, through\n      systems or processes for determining                                               corroborative inquiry, that seller\n      the quality and integrity of data                                                  initiated trading partner\n      flowing through the system, and                                                    eliminations were automatically\n      trading partners are input and updated                                             e-mailed to the customer and\n      completely and accurately. Reports                                                 approved for elimination\n      can identify the impact of trading                                                 amounts.\n      partners on statement presentation.\n\n                                               2. DDRS-AFS ensures that trading          Observed system controls to          DFAS-Cleveland\n                                               partner data input is subject to data     determine whether only valid         DFAS-Indianapolis\n                                               checks to ensure that invalid             accounts updated DDRS-AFS            DFAS-Columbus\n                                               information (erroneous USSGL              tables.                              DFAS-Denver\n                                               Attribute combinations or erroneous                                            No relevant exceptions noted.\n                                               trading partner identifier) was not       Confirmed, through\n                                               allowed to process.                       corroborative inquiry, that\n                                                                                         DDRS-AFS trading partner data\n                                                                                         input was subject to data checks\n                                                                                         to ensure that invalid\n                                                                                         information (erroneous USSGL\n                                                                                         Attribute combinations or\n                                                                                         erroneous trading partner\n                                                                                         identifier) was not allowed to\n                                                                                         process.\n\n                                               3. DFAS-Arlington PMO enables the         Inspected the system audit log       DFAS-Arlington\n                                               DDRS-AFS \xe2\x80\x9cLock-out\xe2\x80\x9d mechanism to          indicating the lockout               No relevant exceptions noted.\n                                               ensure that trading partner information   mechanism occurred and to\n                                               is not changed once the financial         determine whether entries could\n                                               statements are finalized.                 be made once the mechanism\n                                                                                         was enabled.\n\n                                                                              128\n\x0cCO\n      Control Objective              Control Activity                      Test Procedure                     Results of Testing\nNo.\n                                                                   Confirmed, through\n                                                                   corroborative inquiry, that a\n                                                                   mechanism existed to ensure\n                                                                   that trading partner information\n                                                                   could be locked down to prevent\n                                                                   changes once the financial\n                                                                   statements were finalized.\n\n                          4. Significant policies and procedures   Inspected policies and             DFAS-Arlington\n                          are documented.                          procedures to determine whether    Review of the FMR and DFAS\n                                                                   significant policies and           policies disclosed that the process\n                                                                   procedures were documented.        of relying on seller-side data did\n                                                                                                      not include a control for\n                                                                   Confirmed, through                 reconciling differences between\n                                                                   corroborative inquiry, that        seller and buyer data. Thus, the\n                                                                   significant policies and           adjustments to buyer side accounts\n                                                                   procedures were documented.        may not be auditable and material\n                                                                                                      amounts of such adjustments could\n                                                                                                      impact on the result of a financial\n                                                                                                      statement audit.\n\n\n\n\n                                                         129\n\x0cCO\n               Control Objective                          Control Activity                       Test Procedure                      Results of Testing\nNo.\n5     Validation\n      Controls provide reasonable              1. Control totals over data entered       Observed trial balance entry to      DFAS-Cleveland\n      assurance that DDRS-AFS has              directly into DDRS-AFS ensure the trial   determine whether control totals     No relevant exceptions noted.\n      systems or processes for determining     balance or journal entry is in balance    over data entered directly into\n      the quality and integrity of data        prior to updating DDRS-AFS.               DDRS-AFS ensured the trial\n      flowing through the system, and trial                                              balance or journal entry was in\n      balances are input and updated                                                     balance prior to updating\n      completely and accurately. Controls                                                DDRS-AFS.\n      provide reasonable assurance that\n      data validation and editing are                                                    Confirmed, through\n      performed to identify erroneous data,                                              corroborative inquiry, that\n      and that erroneous data are captured,                                              control totals over data entered\n      reported, investigated, and corrected.                                             directly into DDRS-AFS\n                                                                                         ensured the trial balance or\n                                                                                         journal entry was in balance\n                                                                                         prior to updating DDRS-AFS.\n\n                                               2. Control totals over data imported      Observed the trial balance data      DFAS-Cleveland\n                                               from an Excel sheet to text file into     import process to determine          No relevant exceptions noted.\n                                               DDRS-AFS ensure the trial balance is in   whether control totals in the\n                                               balance prior to updating DDRS-AFS.       import sheets ensured that the\n                                                                                         trial balance was in balance prior\n                                                                                         to updating DDRS-AFS.\n\n                                                                                         Confirmed, through\n                                                                                         corroborative inquiry, that\n                                                                                         control totals over data imported\n                                                                                         from an Excel sheet to text file\n                                                                                         into DDRS-AFS ensured the\n                                                                                         trial balance was in balance prior\n                                                                                         to updating DDRS-AFS.\n\n                                               3. Validation ensures abnormal balances   Inspected reports to determine       DFAS-Cleveland\n                                               are flagged for review at the line item   whether non-traditional debit        DFAS-Indianapolis\n                                               level.                                    and credit accounts were flagged     DFAS-Columbus\n                                                                                         for review.                          DFAS-Denver\n\n\n                                                                             130\n\x0cCO\n      Control Objective             Control Activity                      Test Procedure                      Results of Testing\nNo.\n                                                                                                      No relevant exceptions noted.\n                                                                  Inspected the customer\xe2\x80\x99s\n                                                                  concurrence that abnormal\n                                                                  balances (if any) had been\n                                                                  identified and disclosed in the\n                                                                  footnotes by verifying that the\n                                                                  customer provided a \xe2\x80\x9cyes\xe2\x80\x9d\n                                                                  response to the Standard\n                                                                  Guidance Checklist item\n                                                                  pertaining to abnormal balances.\n\n                                                                  Confirmed, through\n                                                                  corroborative inquiry, that\n                                                                  validation ensured non-\n                                                                  traditional debit and credit\n                                                                  accounts were flagged for\n                                                                  review.\n\n                          4. Subsequent to importing trial        Selected a random sample of         DFAS-Cleveland\n                          balances, Journal Vouchers changes or   Journal Vouchers to determine       DFAS-Indianapolis\n                          adjustments to trial balances are       that any Journal Vouchers           DFAS-Columbus\n                          reviewed and approved by management     changes or adjustments to trial     DFAS-Denver\n                          prior to report generation.             balances were reviewed and\n                                                                  approved by management prior        Adherence to the FMR Journal\n                                                                  to report generation.               Voucher approval policy was\n                                                                                                      inconsistent across DFAS centers.\n                                                                  Obtained a random sample of         Trial balance corrections entered\n                                                                  trial balance upload system audit   into DDRS-AFS did not always\n                                                                  trails to determine whether trial   require approval prior to posting,\n                                                                  balance uploads contain an          the ability to post Journal\n                                                                  approval.                           Vouchers was delegated to several\n                                                                                                      staff accountants, and DFAS\n                                                                  Confirmed, through                  Directors did not always approve\n                                                                  corroborative inquiry, that         Journal Vouchers in excess of one\n                                                                  subsequent to trial balance         billion dollars prior to posting.\n                                                                  import any Journal Vouchers         DFAS Directors were designated\n                                                                  changes or adjustments to trial     by the FMR to approve Journal\n                                                                  balances were reviewed and          Vouchers in excess of one billion\n\n                                                       131\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                       Results of Testing\nNo.\n                                                                     approved by management prior         dollars. Although Journal Voucher\n                                                                     to report generation.                packages were reviewed by\n                                                                                                          management before entry into\n                                                                                                          DDRS-AFS, the FMR requirement\n                                                                                                          that Journal Vouchers in excess of\n                                                                                                          one billion dollars be specifically\n                                                                                                          approved by the Director prior to\n                                                                                                          entry was not always adhered to in\n                                                                                                          a timely manner.\n\n                          5. Variance analysis is performed to       Confirmed, through observation,      DFAS-Cleveland\n                          explain fluctuations between the current   that variation analyses were         DFAS-Indianapolis\n                          year and prior year amounts reported on    performed, and disclosure was        DFAS-Columbus\n                          the financial statements.                  made of the causes of variations     DFAS-Denver\n                                                                     greater than 10% from the\n                                                                     previous year.                       No relevant exceptions noted.\n\n                                                                     Obtained variance analyses\n                                                                     performed by DFAS personnel\n                                                                     and confirmed that variances\n                                                                     were explained and disclosed\n                                                                     according to the FMR.\n                                                                     Obtained the Standard Guidance\n                                                                     Checklist and noted the\n                                                                     customer\xe2\x80\x99s response to the\n                                                                     associated checklist item on\n                                                                     variance analysis.\n\n                          6. Standard programmed algorithms          Recalculated the FY 04 DoD           DFAS-Cleveland\n                          perform significant financial statement    consolidated financial               No relevant exceptions noted\n                          calculations.                              statements subtotals and totals to\n                                                                     determine whether line item\n                                                                     amounts accurately sum to their\n                                                                     respective subtotals and totals,\n                                                                     and that consolidating\n                                                                     statements summed to DoD-\n                                                                     wide consolidated statements.\n\n\n                                                         132\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                      Results of Testing\nNo.\n                                                                    Confirmed, through\n                                                                    corroborative inquiry, that\n                                                                    standard programmed\n                                                                    algorithms performed significant\n                                                                    trial balance calculations.\n\n                          7. Journal vouchers are automatically     Inspected a listing of Journal      DFAS-Cleveland\n                          assigned a unique sequence number to      Voucher transaction IDs (control    The Journal Vouchers were\n                          facilitate their identification in the    numbers) to determine whether       observed to be sequentially\n                          DDRS-AFS.                                 they were assigned a unique         numbered; however, there were\n                                                                    sequence number.                    missing numbers in the series as a\n                                                                                                        result of trial balance and\n                                                                    Confirmed, through                  associated Journal Voucher\n                                                                    corroborative inquiry, that         deletions which were not\n                                                                    transactions were automatically     maintained in the history file.\n                                                                    assigned a unique sequence          Additionally, the DDRS-AFS\n                                                                    number                              Journal Voucher log which was\n                                                                                                        exported into Microsoft Excel for\n                                                                                                        analysis did not accurately display\n                                                                                                        the Journal Voucher approval\n                                                                                                        identification, although the Journal\n                                                                                                        Voucher unique identifier control\n                                                                                                        number was correctly displayed.\n                                                                                                        However, as a mitigating control,\n                                                                                                        the approval identification\n                                                                                                        displayed properly in Microsoft\n                                                                                                        Word and Adobe Acrobat. Thus,\n                                                                                                        the control activities and the\n                                                                                                        associated mitigating controls\n                                                                                                        supported the control objective.\n\n                          8. The Microsoft Excel spreadsheets       Inspected Microsoft Excel           DFAS-Cleveland\n                          provided to reporting activities to use   import sheets provided to           DFAS-Columbus\n                          for importing trial balances into DDRS-   reporting activities to determine\n                          AFS contain preprogrammed fields and      whether the spreadsheets            No relevant exceptions noted.\n                          totals to ensure data validation.         contained preprogrammed fields\n                                                                    and totals to ensure data\n                                                                    validation.\n\n                                                        133\n\x0cCO\n      Control Objective               Control Activity                       Test Procedure                      Results of Testing\nNo.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that the\n                                                                     Excel spreadsheets provided to\n                                                                     reporting activities contained\n                                                                     preprogrammed fields and totals\n                                                                     to ensure data validation.\n\n                          9. Trial balances and trading partner      Traced trial balance account        DFAS-Cleveland\n                          elimination entries imported into          balances from the trading           DFAS-Indianapolis\n                          DDRS-AFS using Microsoft Excel files       partner import sheet to the         DFAS-Columbus\n                          in CSV format update the proper            DDRS-AFS trial balance.             DFAS-Denver\n                          accounts and tables.\n                                                                     Selected a random sample of         No relevant exceptions noted.\n                                                                     trial balances imported into\n                                                                     DDRS-AFS using a Microsoft\n                                                                     Excel spreadsheet to determine\n                                                                     whether the balance imported\n                                                                     matched the resulting trial\n                                                                     balance appearing in DDRS-\n                                                                     AFS.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that files\n                                                                     imported in CSV format were\n                                                                     imported into the proper\n                                                                     accounts and tables.\n\n                          10. Reconciliations are performed to       Confirmed, through observation,     DFAS-Cleveland\n                          determine the reliability of data in the   that the DFAS centers:              DFAS-Indianapolis\n                          system and reconciling differences are     - prepared the reconciliation       DFAS-Columbus\n                          identified and resolved.                   reports as required by DFAS-        DFAS-Denver\n                                                                     Arlington to ensure that\n                                                                     financial statements are            The reconciliation process was\n                                                                     consistent and that the proper      used primarily to force agreement\n                                                                     budgetary and proprietary           between statements. A process to\n                                                                     relationships are established;      provide feedback to the client was\n                                                                     - explained unresolved              not in place to clear differences.\n\n                                                          134\n\x0cCO\n                Control Objective                          Control Activity                        Test Procedure                       Results of Testing\nNo.\n                                                                                           reconciling items; and\n                                                                                           - submitted explanations to\n                                                                                           DFAS-Arlington as required by\n                                                                                           the Quarterly Guidance.\n\n6     Authorized Trial Balance Entry\n      Controls provide reasonable               1. Trial balance import sheets are input   Selected a random sample of          Controls were designed to provide\n      assurance that data transmissions         by authorized personnel.                   DFAS-AFS users to determine if       for access to DDRS-AFS on a\n      between DDRS-AFS and user                                                            SAAR forms matched the access        center-level basis, instead of by\n      organizations are authorized,                                                        provided.                            responsible work area. As such,\n      complete, accurate, and secure.                                                                                           the user may have access to\n                                                                                           Inspected a list of DDRS-AFS         information that they don\xe2\x80\x99t\n      Unbalanced trial balances are flagged                                                users assigned the data              necessarily need.\n      and not reported until in balance.                                                   administrator role, and the\n                                                                                           HQSA role, to determine              Out of 162 total SAAR forms\n      Controls provide reasonable                                                          whether this access was              tested for all DDRS-AFS users,\n      assurance that application users are                                                 appropriate for their job            five related to users of the\n      appropriately identified and                                                         responsibilities. HQSA is a          DDRS_CFO_DATA_ADMIN role\n      authenticated, and that access to the                                                powerful role that, while            which provides users with this role\n      application and output is restricted to                                              necessary on a limited basis,        the ability to import and edit trial\n      authorized users for authorized                                                      does not encompass the               balances in DDRS-AFS. Of these\n      purposes.                                                                            principles of separation of duties   five users:\n                                                                                           and least privileges.                - One user had a SAAR form on\n      Controls provide reasonable                                                                                               file dated prior to 2004, which did\n      assurance that trial balance input is                                                Inspected e-mail traffic to          not provide enough detail to\n      accurate and recorded in the proper                                                  confirm that DFAS Centers            indicate the user role or DFAS\n      period.                                                                              periodically review user access      center to which access should be\n                                                                                           for appropriateness.                 granted.\n                                                                                                                                - Two users had a post 2004\n                                                                                           Confirmed, through                   SAAR form on file, but the\n                                                                                           corroborative inquiry, that trial    DDRS-AFS role granted on the\n                                                                                           balance import sheets were input     form did not match access\n                                                                                           by authorized personnel.             provided in DDRS-AFS.\n\n                                                                                                                                However, DFAS Centers\n                                                                                                                                periodically reviewed user access\n                                                                                                                                roles for appropriateness.\n\n                                                                               135\n\x0cCO\n      Control Objective   Control Activity         Test Procedure           Results of Testing\nNo.\n                                                                    Out of 162 total SAAR forms\n                                                                    tested for all DDRS-AFS users, 12\n                                                                    related to users of the\n                                                                    DDRS_CFO_HQSA role which\n                                                                    provides users with this role the\n                                                                    ability to assign and remove roles\n                                                                    in DDRS-AFS. Of these 12 users:\n                                                                    - Nine users had a SAAR form on\n                                                                    file dated prior to 2004, which did\n                                                                    not provide enough detail to\n                                                                    indicate the user role or DFAS\n                                                                    center to which access should be\n                                                                    granted.\n                                                                    - Two users had a post 2004\n                                                                    SAAR form on file, but the\n                                                                    DDRS-AFS role granted on the\n                                                                    form did not match access\n                                                                    provided in DDRS-AFS.\n                                                                    - One user did not have a SAAR\n                                                                    form available.\n\n                                                                    However, DFAS Centers\n                                                                    periodically reviewed user access\n                                                                    roles for appropriateness, but did\n                                                                    not determine whether these 12\n                                                                    HQSA users were appropriate.\n\n                                                                    Although DFAS Centers\n                                                                    periodically reviewed user access\n                                                                    roles for appropriateness, some of\n                                                                    the DFAS Centers had a\n                                                                    questionable number of users\n                                                                    assigned the HQSA role.\n                                                                    Specifically:\n                                                                    - DFAS-Arlington had 13 users\n                                                                    assigned the HQSA role.\n                                                                    - DFAS-Denver had 10 users\n                                                                    assigned the HQSA role.\n\n                                             136\n\x0cCO\n      Control Objective   Control Activity         Test Procedure           Results of Testing\nNo.\n                                                                    - DFAS-Columbus had 17 users\n                                                                    assigned the HQSA role.\n\n                                                                    DFAS-Arlington\n                                                                    The DDRS-AFS SAAR form used\n                                                                    prior to 2004 did not include\n                                                                    specific role categories for which a\n                                                                    user had been authorized.\n\n                                                                    DFAS-Cleveland\n                                                                    The import sheets uploaded into\n                                                                    DDRS did not require approval\n                                                                    prior to posting.\n\n                                                                    The trial uploads and balance\n                                                                    adjustments entered into DDRS-\n                                                                    AFS did not require approval prior\n                                                                    to posting.\n\n                                                                    DFAS-Denver\n                                                                    A systems developer in Cleveland\n                                                                    was assigned access to the\n                                                                    production environment as a\n                                                                    HQSA, which creates segregation\n                                                                    of duties risks.\n\n\n\n\n                                             137\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                     Results of Testing\nNo.\n                          2. Microsoft Excel trial balance import    Randomly sampled Microsoft          DFAS-Cleveland\n                          sheets received by reporting activities    Excel trial balances at 2004        No relevant exceptions noted.\n                          are complete and in balance.               FYE and at 2005 1QE to\n                                                                     determine whether Microsoft\n                                                                     Excel trial balance import\n                                                                     sheets, budgetary import sheets,\n                                                                     and trading partner import sheet\n                                                                     transmissions received by\n                                                                     reporting activities were\n                                                                     complete and in balance.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that\n                                                                     Microsoft Excel trial balance\n                                                                     import sheets, budgetary import\n                                                                     sheets, and trading partner\n                                                                     import sheet transmissions\n                                                                     received by reporting activities\n                                                                     were complete and in balance.\n\n                          3. DDRS-AFS design establishes             Inspected system roles to           DFAS-Cleveland\n                          separate roles for Trial Balance import,   determine if Trial Balance          Trial Balance approval roles were\n                          Trial Balance validation, and Trial        Import, Trial Balance               not established in DDRS-AFS.\n                          Balance reconciliation.                    Validation, and Trial Balance\n                                                                     Reconciliation were defined as\n                                                                     separate roles in DDRS-AFS.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that the\n                                                                     system had separate roles\n                                                                     identified for Trial Balance\n                                                                     import, Trial Balance validation\n                                                                     and Trial Balance reconciliation.\n                          4. Direct trial balance entries into       Selected a random sample of         Controls were designed to provide\n                          DDRS-AFS or edits to the trial balance     DFAS-AFS users to determine if      for access to DDRS-AFS on a\n                          are performed by the appropriate           SAAR forms matched the access       center-level basis, instead of by\n                          reporting activities and are from          provided.                           responsible work area. As such,\n                          authorized personnel at the activity.                                          the user may have access to\n\n                                                         138\n\x0cCO\n      Control Objective   Control Activity                 Test Procedure                       Results of Testing\nNo.\n                                                   Inspected a list of DDRS-AFS         information that they don\xe2\x80\x99t\n                                                   users assigned the Journal           necessarily need.\n                                                   Voucher approver role and the\n                                                   HQSA role to determine               Out of 162 total SAAR forms\n                                                   whether this access was              tested for all DDRS-AFS users,\n                                                   appropriate for their job            five related to users of the\n                                                   responsibilities. HQSA is a          DDRS_CFO_DATA_ADMIN role\n                                                   powerful role that, while            which provides users with this role\n                                                   necessary on a limited basis,        the ability to import and edit trial\n                                                   does not encompass the               balances in DDRS-AFS. Of these\n                                                   principles of separation of duties   five users:\n                                                   and least privileges.                - One user had a SAAR form on\n                                                                                        file dated prior to 2004, which did\n                                                   Inspected e-mail traffic to          not provide enough detail to\n                                                   confirm that DFAS Centers            indicate the user role or DFAS\n                                                   periodically review user access      center to which access should be\n                                                   for appropriateness.                 granted:\n                                                                                        - Two users had a post 2004\n                                                                                        SAAR form on file, but the\n                                                   Confirmed users with ability to      DDRS-AFS role granted on the\n                                                   upload trial balances by             form did not match access\n                                                   obtaining the SAAR form and          provided in DDRS-AFS.\n                                                   confirming that the user was\n                                                   authorized to upload balances.       However, DFAS Centers\n                                                                                        periodically reviewed user access\n                                                   Confirmed, through                   roles for appropriateness\n                                                   corroborative inquiry, that direct\n                                                   trial balance entries into DDRS-     Out of 162 total SAAR forms\n                                                   AFS or edits to the trial balance    tested for all DDRS-AFS users, 12\n                                                   were performed by the                related to users of the\n                                                   appropriate reporting activities     DDRS_CFO_HQSA role which\n                                                   and were from authorized             provides users with this role the\n                                                   personnel at the activity.           ability to assign and remove roles\n                                                                                        in DDRS-AFS. Of these 12 users:\n                                                                                        - Nine users had a SAAR form on\n                                                                                        file dated prior to 2004, which did\n                                                                                        not provide enough detail to\n                                                                                        indicate the user role or DFAS\n\n                                             139\n\x0cCO\n      Control Objective   Control Activity         Test Procedure           Results of Testing\nNo.\n                                                                    center to which access should be\n                                                                    granted.\n                                                                    - Two users had a post 2004\n                                                                    SAAR form on file, but the\n                                                                    DDRS-AFS role granted on the\n                                                                    form did not match access\n                                                                    provided in DDRS-AFS.\n                                                                    - One user did not have a SAAR\n                                                                    form available.\n\n                                                                    However, DFAS Centers\n                                                                    periodically reviewed user access\n                                                                    roles for appropriateness, but did\n                                                                    not determine whether these 12\n                                                                    HQSA users were appropriate.\n\n                                                                    Although DFAS Centers\n                                                                    periodically reviewed user access\n                                                                    roles for appropriateness, some of\n                                                                    the DFAS Centers had a\n                                                                    questionable number of users\n                                                                    assigned the HQSA role.\n                                                                    Specifically:\n                                                                    - DFAS-Arlington had 13 users\n                                                                    assigned the HQSA role.\n                                                                    - DFAS-Denver had 10 users\n                                                                    assigned the HQSA role.\n                                                                    - DFAS-Columbus had 17 users\n                                                                    assigned the HQSA role.\n\n                                                                    DFAS-Arlington\n                                                                    The DDRS-AFS SAAR form used\n                                                                    prior to 2004 did not include\n                                                                    specific role categories for which a\n                                                                    user had been authorized.\n\n                                                                    DFAS-Cleveland\n                                                                    The import sheets uploaded into\n\n                                             140\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                      Results of Testing\nNo.\n                                                                                                          DDRS-AFS did not require\n                                                                                                          approval prior to posting.\n\n                                                                                                          The trial uploads and balance\n                                                                                                          adjustments entered into DDRS-\n                                                                                                          AFS do not require approval prior\n                                                                                                          to posting.\n\n                                                                                                          DFAS-Denver\n                                                                                                          A systems developer in Cleveland\n                                                                                                          was assigned access to the\n                                                                                                          production environment as a\n                                                                                                          HQSA, which creates segregation\n                                                                                                          of duties risks.\n\n                          5. DDRS-AFS application controls           Observed trial balance entry to      DFAS-Cleveland\n                          ensure that direct trial balance entries   determine whether control totals     No relevant exceptions noted\n                          into DDRS-AFS and edits to the trial       over data entered directly into\n                          balance are in balance prior to updating   DDRS-AFS ensured the trial\n                          the reporting tables.                      balance was in balance prior to\n                                                                     updating DDRS.\n\n                                                                     Randomly sampled Microsoft\n                                                                     Excel trial balances at 2004 FYE\n                                                                     and Q1 2005 to determine\n                                                                     whether direct trial balance\n                                                                     entries into DDRS-AFS, and\n                                                                     edits to the trial balance, were\n                                                                     complete and in balance prior to\n                                                                     updating the DDRS-AFS\n                                                                     reporting tables.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that direct\n                                                                     trial balance entries into DDRS-\n                                                                     AFS, and edits to the trial\n\n\n\n                                                         141\n\x0cCO\n      Control Objective               Control Activity                         Test Procedure                       Results of Testing\nNo.\n                                                                       balance, were complete and in\n                                                                       balance prior to updating the\n                                                                       DDRS-AFS reporting tables.\n\n                          6. The entry and approval functions          Inspected a list of DDRS-AFS         DFAS-Arlington\n                          pertaining to the direct entering of trial   users assigned the Data              DFAS-Cleveland\n                          balances or editing of trial balances are    Administrator role, and the          DFAS-Indianapolis\n                          properly segregated between the              HQSA role, to determine              DFAS-Columbus\n                          individual entering the data and the         whether this access was              DFAS-Denver\n                          individual approving the data.               appropriate for their job\n                                                                       responsibilities. HQSA is a          Users were assigned roles based on\n                                                                       powerful role that, while            each DFAS center\xe2\x80\x99s reporting\n                                                                       necessary on a limited basis,        activities which may provide them\n                                                                       does not encompass the               with access to multiple entity\n                                                                       principles of separation of duties   codes that they may not\n                                                                       and least privileges.                necessarily need. Also, trial\n                                                                                                            balance corrections or adjustments,\n                                                                       Obtained a random sample of          which can only be made by re-\n                                                                       trial balance upload system audit    importing the trial balance, did not\n                                                                       trails to determine whether trial    require approval.\n                                                                       balance uploads contain an\n                                                                       approval.\n\n                                                                       Confirmed, through\n                                                                       corroborative inquiry, that direct\n                                                                       trial balance entries into DDRS-\n                                                                       AFS or edits to the trial balance\n                                                                       were approved by an individual\n                                                                       other than who entered the\n                                                                       balance prior to updating the\n                                                                       DDRS-AFS reporting tables.\n\n                          7. DDRS-AFS maintains a closing date         Inspected the system audit log       DFAS-Arlington\n                          for the trial balance entry function to      indicating the lockout occurred      No relevant exceptions noted.\n                          ensure Journal Voucher or trial balance      and observed that the lockout\n                          adjustments are not made to the trial        mechanism was enabled prior to\n                          balance subsequent to external               the release of the statements to\n                          reporting.                                   OMB, and that the mechanism\n\n                                                           142\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                      Results of Testing\nNo.\n                                                                      was effective in preventing\n                                                                      additional adjustments to the\n                                                                      financial statements.\n\n                                                                      Confirmed, through\n                                                                      corroborative inquiry, that a\n                                                                      closing date maintained for the\n                                                                      trial balance entry function\n                                                                      ensures that Journal Vouchers or\n                                                                      trial balance adjustments are not\n                                                                      made to the trial balance\n                                                                      subsequent to external reporting.\n\n                          8. Controls ensure that the trial balance   Inspected the trial balance         DFAS-Cleveland\n                          entered into DDRS-AFS is based on the       import sheet to determine if data   Information contained on the\n                          current reporting period.                   checks were enabled to allow        Microsoft Excel trial balance\n                                                                      DDRS-AFS to confirm that the        import sheets did not indicate the\n                                                                      period for which trial balance      quarterly reporting period that the\n                                                                      information was being imported      uploaded information pertained to.\n                                                                      was the current reporting period.   However, as a mitigating control,\n                                                                                                          the local unique process to prepare\n                                                                      Confirmed, through                  balances for import into DDRS-\n                                                                      corroborative inquiry, that the     AFS contained controls to ensure\n                                                                      trial balance entered into DDRS-    that the balances are being\n                                                                      AFS was based on the intended       imported for the current reporting\n                                                                      reporting period.                   period. Additionally, as a\n                                                                                                          mitigating control, reconciliations\n                                                                                                          would detect an incorrect upload\n                                                                                                          that was not related to the current\n                                                                                                          period. Thus, the control activity\n                                                                                                          and the associated mitigating\n                                                                                                          control supported the control\n                                                                                                          objective.\n\n\n\n\n                                                         143\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                      Results of Testing\nNo.\n                          9. Trial balance and adjustment numbers    Randomly sampled Microsoft           DFAS-Cleveland\n                          for the reporting period are sent to the   Excel trial balances at 2004 FYE     DFAS-Indianapolis\n                          reporting activity for review of           and at Q1 2005 to determine          DFAS-Columbus\n                          appropriateness and authorization.         whether trial balance and            DFAS-Denver\n                                                                     adjustment numbers for the\n                                                                     reporting period were sent to the    No relevant exceptions noted.\n                                                                     reporting activity for review of\n                                                                     appropriateness and\n                                                                     authorization.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that trial\n                                                                     balance and adjustment numbers\n                                                                     for the reporting period were\n                                                                     sent to the reporting activity for\n                                                                     review of appropriateness and\n                                                                     authorization.\n                          10. Significant policies and procedures    Inspected policies and               DFAS-Cleveland\n                          are documented.                            procedures to determine whether      No relevant exceptions noted.\n                                                                     significant policies and\n                                                                     procedures were documented.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that\n                                                                     significant policies and\n                                                                     procedures were documented.\n\n\n\n\n                                                         144\n\x0cCO\n               Control Objective                          Control Activity                       Test Procedure                    Results of Testing\nNo.\n7     USSGL Account Maintenance\n      Controls provide reasonable              1. Reporting and account reference        Inspected the DDRS-AFS             DFAS-Arlington\n      assurance that only valid and accurate   tables are periodically reviewed for      USSGL change request log and       No relevant exceptions noted.\n      changes are made to the DDRS-AFS         accuracy and ongoing pertinence.          DDRS-AFS USSGL system\n      Reference Tables, Department                                                       change log to determine whether\n      Reporting Tables and other critical                                                tables were periodically\n      system components; these changes                                                   reviewed for accuracy and\n      are input and processed timely.                                                    ongoing pertinence.\n      Controls provide reasonable\n      assurance that new accounting line                                                 Confirmed, through\n      items are promptly added to the                                                    corroborative inquiry, that\n      reference tables and obsolete accounts                                             reporting and account reference\n      are promptly removed, and only valid                                               tables were periodically\n      accounts are added to the reference                                                reviewed for accuracy and\n      table.                                                                             ongoing pertinence.\n\n                                               2. Requests to change the reporting and   Inspected change requests to       DFAS-Arlington\n                                               account reference table data in DDRS-     determine whether requests to      No relevant exceptions noted.\n                                               AFS are documented in a USSGL             change the reporting and\n                                               change log and the log is reviewed to     account reference table data\n                                               ensure that all requested changes are     were logged; also, inspected\n                                               processed timely.                         USSGL change log to determine\n                                                                                         timeliness of changes.\n\n                                                                                         Confirmed, through\n                                                                                         corroborative inquiry, that\n                                                                                         requests to change the reporting\n                                                                                         and account reference table data\n                                                                                         were logged; the log was\n                                                                                         reviewed to ensure that all\n                                                                                         requested changes were\n                                                                                         processed timely.\n\n\n\n\n                                                                              145\n\x0cCO\n      Control Objective              Control Activity                      Test Procedure                       Results of Testing\nNo.\n                          3. Changes to DDRS-AFS reporting and     Inspected change requests to         DFAS-Arlington\n                          account reference tables are compared    determine whether changes to         DFAS-Cleveland\n                          to the authorized USSGL change           the reporting and account\n                          request originated by DFAS-Arlington     reference tables were compared       Changes documented in the\n                          accounting to ensure that they were      to authorized USSGL change           USSGL change log were not\n                          input accurately by the DFAS-Arlington   requests to ensure that they were    reviewed and approved to\n                          PMO.                                     input accurately.                    determine if they were accurately\n                                                                                                        entered. Also, changes were found\n                                                                   Confirmed, through                   to occasionally be made during\n                                                                   corroborative inquiry, that          production hours. However, some\n                                                                   changes to the reporting and         compensating controls existed.\n                                                                   account reference tables were        For instance, errors in the report\n                                                                   compared to authorized USSGL         mapping were identified and\n                                                                   change requests to ensure that       investigated as a part of the\n                                                                   they were input accurately.          reporting process. Additionally,\n                                                                                                        periodic USSGL reviews were\n                                                                                                        performed to determine if they\n                                                                                                        were consistent with the U.S.\n                                                                                                        Treasury USSGL.\n\n                          4. The ability to view, modify, or       Selected a random sample of          Out of 162 total SAAR forms\n                          transfer information contained in        DFAS-AFS users to determine if       tested for all DDRS-AFS users,\n                          DDRS-AFS reporting and account           SAAR forms matched the access        eight related to users of the\n                          reference tables is restricted to        provided.                            DDRS_CFO_TABLE_MAINTAI\n                          authorized personnel.                                                         NANCE role which provides users\n                                                                   Inspected a list of DDRS-AFS         with this role the ability to make\n                                                                   users assigned the                   changes to the US_SGL account\n                                                                   CFO_Table_Maint role, and the        structure in DDRS-AFS. Of these\n                                                                   HQSA role, to determine              eight users:\n                                                                   whether this access was              - Four users had a SAAR form on\n                                                                   appropriate for their job            file dated prior to 2004, which did\n                                                                   responsibilities. HQSA is a          not provide enough detail to\n                                                                   powerful role that, while            indicate the user role or DFAS\n                                                                   necessary on a limited basis,        center to which access should be\n                                                                   does not encompass the               granted; and,\n                                                                   principles of separation of duties   - One user had a post 2004 SAAR\n                                                                   and least privileges.                form on file, but the DDRS-AFS\n                                                                                                        role granted on the form did not\n\n                                                        146\n\x0cCO\n      Control Objective   Control Activity                 Test Procedure                       Results of Testing\nNo.\n                                                   Confirmed, through                   match access provided in DDRS-\n                                                   corroborative inquiry, that the      AFS.\n                                                   ability to view, modify, or\n                                                   transfer information contained in    However, DFAS Centers\n                                                   the reporting and account            periodically reviewed user access\n                                                   reference tables was restricted to   roles for appropriateness\n                                                   authorized personnel.\n                                                                                        Out of 162 total SAAR forms\n                                                                                        tested for all DDRS-AFS users, 12\n                                                                                        related to users of the\n                                                                                        DDRS_CFO_HQSA role which\n                                                                                        provides users with this role the\n                                                                                        ability to assign and remove roles\n                                                                                        in DDRS-AFS. Of these 12 users:\n                                                                                        - Nine users had a SAAR form on\n                                                                                        file dated prior to 2004, which did\n                                                                                        not provide enough detail to\n                                                                                        indicate the user role or DFAS\n                                                                                        center to which access should be\n                                                                                        granted;\n                                                                                        - Two users had a post 2004\n                                                                                        SAAR form on file, but the\n                                                                                        DDRS-AFS role granted on the\n                                                                                        form did not match access\n                                                                                        provided in DDRS-AFS; and,\n                                                                                        - One user did not have a SAAR\n                                                                                        form available.\n\n                                                                                        However, DFAS Centers\n                                                                                        periodically reviewed user access\n                                                                                        roles for appropriateness, but did\n                                                                                        not determine whether these 12\n                                                                                        HQSA users were appropriate.\n\n                                                                                        Although DFAS Centers\n                                                                                        periodically reviewed user access\n                                                                                        roles for appropriateness, some of\n                                                                                        the DFAS Centers had a\n\n                                             147\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                      Results of Testing\nNo.\n                                                                                                          questionable number of users\n                                                                                                          assigned the HQSA role.\n                                                                                                          Specifically:\n\n                                                                                                          - DFAS-Arlington had 13 users\n                                                                                                          assigned the HQSA role.\n                                                                                                          - DFAS-Denver had 10 users\n                                                                                                          assigned the HQSA role.\n                                                                                                          - DFAS-Columbus had 17 users\n                                                                                                          assigned the HQSA role.\n\n                                                                                                          DFAS-Arlington\n                                                                                                           The DDRS-AFS SAAR form used\n                                                                                                          prior to 2004 did not include\n                                                                                                          specific role categories for which a\n                                                                                                          user had been authorized.\n\n                                                                                                          Of 17 users assigned the\n                                                                                                          CFO_Table_Maint role, 13 were\n                                                                                                          identified that should not have\n                                                                                                          been granted that role, although\n                                                                                                          these users were subsequently\n                                                                                                          removed based on the internal user\n                                                                                                          review process.\n\n                                                                                                          DFAS-Denver\n                                                                                                          A systems developer in Cleveland\n                                                                                                          was assigned access to the\n                                                                                                          production environment as a\n                                                                                                          HQSA, which creates segregation\n                                                                                                          of duties risks.\n\n                          5. The functionality pertaining to the      Inspected the USSGL account         DFAS-Arlington\n                          DDRS-AFS reporting and account              maintenance reference tables to     No relevant exceptions noted.\n                          reference tables allow the PMO to enter,    determine whether the\n                          edit, and store table changes so that the   functionality pertaining to the\n                          changes automatically become effective.     reporting and account reference\n                                                                      tables allowed the user to enter,\n\n                                                         148\n\x0cCO\n      Control Objective              Control Activity                      Test Procedure                     Results of Testing\nNo.\n                                                                   edit, and store accounting\n                                                                   classification table changes so\n                                                                   that the changes automatically\n                                                                   became effective.\n\n                                                                   Confirmed, through\n                                                                   corroborative inquiry, that the\n                                                                   reporting and account reference\n                                                                   tables allowed the user to enter,\n                                                                   edit, and store accounting\n                                                                   classification table changes so\n                                                                   that the changes automatically\n                                                                   became effective.\n\n                          6. DDRS-AFS will reject or suspend       Observed DDRS-AFS edit              DFAS-Cleveland\n                          interfaced USSGL accounts that contain   checks to determine whether the     No relevant exceptions noted.\n                          accounting classification elements or    reporting and account reference\n                          domain values that have been             tables allowed the system to\n                          deactivated or discontinued.             reject or suspend interfaced\n                                                                   transactions that contained\n                                                                   accounting classification\n                                                                   elements or domain values that\n                                                                   had been deactivated or\n                                                                   discontinued.\n\n                                                                   Confirmed, through\n                                                                   corroborative inquiry, that\n                                                                   DDRS-AFS will reject or\n                                                                   suspend interfaced transactions\n                                                                   that contain accounting\n                                                                   classification elements or\n                                                                   domain values that have been\n                                                                   deactivated or discontinued.\n\n\n\n\n                                                        149\n\x0cCO\n               Control Objective                         Control Activity                     Test Procedure                    Results of Testing\nNo.\n8     USSGL & Other Guidelines\n      Controls provide reasonable             1. DDRS-AFS financial statements are     Compared DDRS-AFS module         DFAS-Arlington\n      assurance that DDRS-AFS produces        consistent with the USSGL as published   chart of accounts with the       DoD policies related to the\n      financial statements that conform to    by the U.S. Treasury.                    USSGL to determine whether it    preparation of financial statements\n      the USSGL.                                                                       was consistent with the USSGL.   and the template used for\n                                                                                                                        preparation of financial statements\n      Controls provide reasonable                                                      Inspected the DDRS-AFS report    did not provide for reporting a\n      assurance that any relevant changes                                              maps to determine whether the    significant amount of accounting\n      made to the USSGL by the Treasury                                                financial statements are         information required by the\n      Department are included in the                                                   consistent with the USSGL.       Federal Accounting Standards\n      reference tables, and that changes to                                                                             Advisory Board (FASAB) and\n      the tables are authorized and                                                                                     Office of Management and Budget\n      approved.                                                                                                         (OMB) Bulletin 01-09. Also, the\n                                                                                                                        mapping of accounts for the\n                                                                                                                        preparation of financial statements\n                                                                                                                        in several instances relied upon\n                                                                                                                        DoD general ledger accounts,\n                                                                                                                        instead of USSGL account codes.\n                                                                                                                        Furthermore, the mapping of\n                                                                                                                        accounts used for the preparation\n                                                                                                                        of the Statement of Custodial\n                                                                                                                        Activity did not conform to\n                                                                                                                        Treasury requirements.\n\n                                              2. Data converted from the Report on     Inspected the reconciliation     DFAS-Cleveland\n                                              Budget Execution and Budgetary           reports that DFAS-Arlington      DFAS-Indianapolis\n                                              Resources (SF-133) and entered into      required from DFAS centers for   DFAS-Columbus\n                                              DDRS-AFS is consistent with the          FY 04 and FY 05 Q1 to            DFAS-Denver\n                                              Statement of Budgetary Resources.        determine whether the\n                                                                                       reconciliation between           Although the SF-133 and\n                                                                                       Statement of Budgetary           Statement of Budgetary Resources\n                                                                                       Resources and Report on Budget   reconciliation was performed,\n                                                                                       Execution and Budgetary          management did not sign off on\n                                                                                       Resources (SF-133.) was          the series of reconciliation reports\n                                                                                       performed and differences        evidencing a review before the\n                                                                                       explained.                       reconciliation was submitted to\n                                                                                                                        DFAS-Arlington.\n\n                                                                            150\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                     Results of Testing\nNo.\n                                                                      Confirmed, through\n                                                                      corroborative inquiry, that data\n                                                                      converted from the Report on\n                                                                      Budget Execution and\n                                                                      Budgetary Resources (SF-133)\n                                                                      entered into DDRS-AFS was\n                                                                      consistent with the Statement of\n                                                                      Budgetary Resources.\n\n                          3. Prior to each reporting period or on a   Compared DDRS-AFS module            DFAS-Arlington\n                          periodic basis, the USSGL is reviewed       chart of accounts to updates in     No relevant exceptions noted.\n                          for changes applicable to the DDRS-         the Quarterly Guidance to\n                          AFS module chart of accounts to ensure      determine if, prior to each\n                          accuracy and pertinence.                    reporting period or on a periodic\n                                                                      basis, the USSGL was reviewed\n                                                                      for changes applicable to the\n                                                                      DDRS-AFS module chart of\n                                                                      accounts.\n\n                                                                      Confirmed, through\n                                                                      corroborative inquiry, that prior\n                                                                      to each reporting period or on a\n                                                                      periodic basis, the USSGL was\n                                                                      reviewed for changes applicable\n                                                                      to the DDRS-AFS module chart\n                                                                      of accounts to ensure accuracy\n                                                                      and pertinence.\n\n\n\n\n                                                         151\n\x0cCO\n      Control Objective              Control Activity                      Test Procedure                     Results of Testing\nNo.\n                          4. Changes to the chart of accounts in   Obtained the DDRS-AFS offline      DFAS-Arlington\n                          the DDRS-AFS module are authorized       change log maintained by           Although changes to the chart of\n                          and approved.                            DFAS-Arlington PMO to              account were documented in the\n                                                                   determine whether changes were     off-line change log, there was no\n                                                                   authorized and approved.           documented process in place for\n                                                                                                      reviewing or authorizing the\n                                                                   Confirmed, through                 change.\n                                                                   corroborative inquiry, that\n                                                                   changes to the chart of accounts\n                                                                   in the DDRS-AFS module were\n                                                                   authorized, approved, and tested\n                                                                   prior to implementation.\n\n                          5. Significant policies and procedures   Inspected significant policies     DFAS-Arlington\n                          are documented.                          and procedures to determine        Procedures to make changes in\n                                                                   whether significant policies and   DDRS-AFS related to the USSGL\n                                                                   procedures were documented.        Chart of Accounts and mappings\n                                                                                                      were not formally documented. A\n                                                                   Confirmed, through                 mitigating control existed because\n                                                                   corroborative inquiry, that        DDRS-AFS user manuals were\n                                                                   significant policies and           available and changes in reporting\n                                                                   procedures were documented.        requirement were disseminated to\n                                                                                                      the DFAS-Arlington PMO. Thus,\n                                                                                                      the control activity and associated\n                                                                                                      mitigating control supported the\n                                                                                                      control objective.\n\n\n\n\n                                                         152\n\x0cData Collection Module\nCO\n               Control Objective                            Control Activity                       Test Procedure                    Results of Testing\nNo.\n1     Audit Trails\n      Controls provide reasonable                1. Financial statement line item amounts   Selected a Journal Voucher from   DFAS-Indianapolis\n      assurance that DDRS-DCM produces           in DDRS-AFS are drilled down to the        category M and noted the          No relevant exceptions noted.\n      financial statements that are              detailed balance and activity supporting   USSGL account posted.\n      supported by audit trails that are         the line item numbers, including           Performed a drill down on the\n      adequate for the financial                 amounts entered manually into the          corresponding Financial\n      management entity and external             DDRS-AFS module from DCM.                  Statement line item containing\n      auditors to trace amounts reported in                                                 the account until the Journal\n      the financial statement back to trial                                                 Voucher was displayed. Noted\n      balances and data from feeder                                                         that the data in the Journal\n      systems.                                                                              Voucher matched data in the\n                                                                                            Journal Voucher log.\n      Controls provide reasonable\n      assurance that audit trails indicate the\n      user inputting the trial balance and the\n      user approving the trial balance. All\n      audit trails indicate the user inputting\n      the Journal Voucher and the user\n      approving the Journal Voucher.\n      Audit trails are reviewed on a regular\n      basis for appropriateness.\n\n\n\n\n                                                                               153\n\x0cCO\n      Control Objective               Control Activity                       Test Procedure                     Results of Testing\nNo.\n                          2. Balances manually entered into          Scanned the audit trail and         DFAS-Cleveland\n                          DDRS-DCM are supported by audit            determined that transactions        No relevant exceptions noted.\n                          trails that indicate the person, status,   were captured in DDRS-DCM\n                          date input, and type (e.g.,                and that they included the User\n                          consolidating).                            ID, date of transaction, and\n                                                                     amount of transaction.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that\n                                                                     balances manually entered into\n                                                                     DDRS-DCM, balances imported\n                                                                     via Microsoft Excel import\n                                                                     sheets and balances imported\n                                                                     from DDRS-DCM entry were\n                                                                     supported by audit trails that\n                                                                     indicated the user ID inputting\n                                                                     the trial balance, the date and\n                                                                     time input, and an indicator of\n                                                                     how the balance has been\n                                                                     entered online.\n\n                          3. Balances entered into DDRS-DCM          Scanned the audit trail and         DFAS-Cleveland\n                          are supported by audit trails indicating   determined if transactions were     No relevant exceptions noted.\n                          the User ID, date the balance was          captured in DDRS-DCM and\n                          entered, and the User ID approving the     that they included the User ID\n                          balance.                                   and date the balance was\n                                                                     entered, and the User ID\n                                                                     approving the balance.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that\n                                                                     balances entered into DDRS-\n                                                                     DCM were supported by audit\n                                                                     trails indicating the User ID and\n                                                                     date the balance was entered and\n                                                                     the User ID approving the\n                                                                     balance.\n\n\n                                                            154\n\x0cCO\n      Control Objective               Control Activity                          Test Procedure                     Results of Testing\nNo.\n                          4. During each accounting quarter or          Confirmed, through                 DFAS-Indianapolis\n                          other reporting period, audit trails in the   corroborative inquiry, that        DFAS-Columbus\n                          DDRS-DCM are periodically reviewed            during each accounting quarter\n                          for appropriateness and unusual activity.     or other reporting period, audit   Audit logs were not reviewed.\n                                                                        trails in the DDRS-DCM were\n                                                                        periodically reviewed for\n                                                                        appropriateness and unusual\n                                                                        activity.\n\n                          5. All cancelled Journal Vouchers keyed       Reviewed system log in DDRS-       DFAS-Cleveland\n                          into DDRS-AFS from DDRS-DCM                   AFS to determine if cancelled\n                          contained a Journal Voucher ID number         Journal Vouchers contained a       In DDRS-AFS, cancelled Journal\n                          and the dates and times they were             Journal Voucher ID number and      Vouchers were recorded; however,\n                          cancelled or rejected.                        dates and times they were          Journal Voucher cancellations\n                                                                        cancelled or rejected.             were not displayed in the Journal\n                                                                                                           Voucher log with the canceling\n                                                                        Confirmed, through                 user\'s ID, date cancelled, or reason\n                                                                        corroborative inquiry, that all    cancelled. Cancelled Journal\n                                                                        cancelled Journal Vouchers         Vouchers did not affect the\n                                                                        keyed into DDRS-AFS from           financial statements.\n                                                                        DDRS-DCM contained a\n                                                                        Journal Voucher ID number and\n                                                                        the dates and times they were\n                                                                        cancelled or rejected.\n\n\n\n\n                                                          155\n\x0cCO\n               Control Objective                           Control Activity                      Test Procedure                     Results of Testing\nNo.\n 2    Balance Entry\n      Controls provide reasonable               1. Data call information imported from   Reviewed entry from DCM to         DFAS-Indianapolis\n      assurance that balances entered into      DDRS-DCM into DDRS-AFS as                DDRS-AFS and determined that       DFAS-Columbus\n      the DDRS-DCM are supported by             Journal Vouchers are supported by        entries were supported by\n      adequate documentation, and that          adequate documentation.                  adequate documentation and         No relevant exceptions noted.\n      balances entered into the DDRS-                                                    approved prior to entry into the\n      DCM are approved prior to entry into                                               DDRS-DCM.\n      a DDRS table.\n                                                                                         Confirmed, through\n      Controls provide reasonable                                                        corroborative inquiry, that data\n      assurance that the separation of duties                                            call information imported from\n      exists to ensure the person approving                                              DDRS-DCM into DDRS-AFS\n      the balances entered into the DDRS-                                                as Journal Vouchers was\n      DCM is not the person entering the                                                 supported by adequate\n      balances entered into the DDRS-                                                    documentation.\n      DCM.\n\n      Controls provide reasonable\n      assurance that balances entered into\n      the DDRS-DCM are in balance prior\n      to entry into DDRS-AFS.\n\n                                                2. The ability to enter or modify        Confirmed users with ability to    DFAS-Arlington\n                                                information contained in a balance is    enter or approve balances by       DFAS-Indianapolis\n                                                restricted to authorized personnel.      obtaining the SAAR form and        DFAS-Columbus\n                                                                                         confirming that the user is\n                                                                                         allowed to enter balances.         Out of 80 total SAAR forms tested\n                                                                                                                            for all DDRS-DCM users, 32\n                                                                                         Used the Financial Audit           related to users of the Data Entry\n                                                                                         Manual guide on population size    role which provide users with this\n                                                                                         to judgmentally select a sample    role the ability to enter and finalize\n                                                                                         of 80 SAAR forms for testing.      balances entered into DDRS-\n                                                                                                                            DCM. Of these 32 users:\n                                                                                         Confirmed, through                 - 23 users had a SAAR form on\n                                                                                         corroborative inquiry, that the    file dated prior to 2004, which did\n                                                                                         ability to enter or modify         not provide enough detail to\n                                                                                         information contained in a         indicate the user role or reporting\n                                                                                         balance was restricted to          area in DDRS-DCM to which\n\n                                                                               156\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                      Results of Testing\nNo.\n                                                                     authorized personnel.               access should be granted;\n                                                                                                         - Two users had a post 2004\n                                                                                                         SAAR form on file, but the\n                                                                                                         specific role was not indicated on\n                                                                                                         the form; and,\n                                                                                                         - One users access granted in\n                                                                                                         DDRS-DCM did not match the\n                                                                                                         access provided in the form.\n\n                          3. The balances entered are approved or    Confirmed users with ability to     DFAS-Indianapolis\n                          rejected by an individual other than who   enter or approve balances by        DFAS-Columbus\n                          entered the balance and who has            obtaining the SAAR form and\n                          authority to approve or reject the         confirming that the user is         Out of 80 total SAAR forms tested\n                          balance.                                   allowed to enter balances.          for all DDRS-DCM users, 27\n                                                                                                         related to users of the Consolidator\n                                                                     Reviewed DCM balance entry in       role which provide users with this\n                                                                     DDRS-AFS and determined that        role the ability to consolidate and\n                                                                     balances must be approved.          approve balances entered into\n                                                                     Determined that Journal             DDRS-DCM. Of these 27users;\n                                                                     Vouchers during DDRS-AFS            - Eighteen users had a SAAR form\n                                                                     import must be approved.            on file dated prior to 2004, which\n                                                                                                         did not provide enough detail to\n                                                                     Confirmed, through                  indicate the user role or reporting\n                                                                     corroborative inquiry, that the     area in DDRS-DCM to which\n                                                                     balances entered were approved      access should be granted; and,\n                                                                     or rejected by an individual        - One user had a post 2004 SAAR\n                                                                     other than who entered the          form on file, but the specific role\n                                                                     balance and who had authority       was not indicated on the form.\n                                                                     to approve or reject the balance.\n                                                                                                         However, DFAS Centers\n                                                                                                         periodically reviewed user access\n                                                                                                         roles for appropriateness.\n                                                                                                         Consolidators can approve their\n                                                                                                         own balance entries in DCM;\n                                                                                                         however, the Journal Vouchers put\n                                                                                                         into DDRS-AFS must be approved\n                                                                                                         by someone other than the Journal\n                                                                                                         Voucher creator.\n\n                                                        157\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                    Results of Testing\nNo.\n                          4. The data call information in the       Inspected process for              DFAS-Indianapolis\n                          DDRS-DCM is in balance before being       establishing Journal Vouchers in   DFAS-Columbus\n                          imported as a Journal Voucher into        DDRS-AFS from DDRS-DCM\n                          DDRS. Within DDRS-DCM, data calls         and confirmed that each cell in    No relevant exceptions noted.\n                          entered out-of-balance will be prompted   DDRS-DCM contains a Journal\n                          with an error message and not recorded    Voucher which must be in\n                          until balanced.                           balance prior to updating\n                                                                    DDRS-AFS.\n\n                                                                    Confirmed, through\n                                                                    corroborative inquiry, that data\n                                                                    call information in the DDRS-\n                                                                    DCM was in balance before\n                                                                    being imported as a Journal\n                                                                    Voucher into DDRS. Within the\n                                                                    DDRS-DCM data calls entered\n                                                                    out-of-balance were prompted\n                                                                    with an error message and not\n                                                                    recorded until balanced.\n\n                          5. Data calls in DDRS-DCM creating        Inspected Journal Voucher input    DFAS-Indianapolis\n                          the Journal Vouchers to be imported       process in DDRS-AFS and            No relevant exceptions noted.\n                          into DDRS-AFS are included in the         noted that Journal Vouchers\n                          intended reporting period.                could only be input for the\n                                                                    current period.\n\n                                                                    Confirmed, through\n                                                                    corroborative inquiry, that the\n                                                                    data calls in DDRS-DCM\n                                                                    creating the Journal Vouchers to\n                                                                    be imported into DDRS were\n                                                                    included in the intended\n                                                                    reporting period.\n\n\n\n\n                                                        158\n\x0cCO\n      Control Objective              Control Activity                         Test Procedure                     Results of Testing\nNo.\n                          6. The balances keyed in from DDRS-         Selected random sample of           DFAS-Arlington\n                          DCM to DDRS-AFS as Journal                  Journal Vouchers in DDRS-AFS        No relevant exceptions noted.\n                          Vouchers update all applicable general      and determined that they update\n                          ledger account balances (i.e., budgetary,   all applicable general ledger\n                          proprietary and memorandum accounts)        account balances (i.e.,\n                          based on a single input transaction and     budgetary, proprietary and\n                          are included in the final trial balance     memorandum accounts) based\n                          numbers.                                    on a single input transaction and\n                                                                      were included in the final trial\n                                                                      balance numbers.\n\n                                                                      Confirmed, through\n                                                                      corroborative inquiry, that the\n                                                                      balances keyed in from DDRS-\n                                                                      DCM to DDRS-AFS as Journal\n                                                                      Vouchers updated all applicable\n                                                                      general ledger account balances\n                                                                      (i.e., budgetary, proprietary and\n                                                                      memorandum accounts) based\n                                                                      on a single input transaction and\n                                                                      were included in the final trial\n                                                                      balance numbers.\n\n                          7. A closing date on Journal Vouchers       Inspected the system audit log in   DFAS-Arlington\n                          imported into DDRS-AFS from DDRS-           DDRS-AFS indicating the             No relevant exceptions noted.\n                          DCM enables DFAS personnel to               lockout occurred and confirmed\n                          ensure no Journal Voucher adjustments       that the lockout mechanism was\n                          are made to the trial balance subsequent    enabled prior to the release of\n                          to external reporting.                      the statements to OMB, and that\n                                                                      the mechanism was effective in\n                                                                      preventing additional\n                                                                      adjustments to the financial\n                                                                      statements.\n\n                                                                      Confirmed, through\n                                                                      corroborative inquiry, that a\n                                                                      closing date on Journal\n                                                                      Vouchers imported into DDRS-\n\n                                                         159\n\x0cCO\n      Control Objective              Control Activity                       Test Procedure                     Results of Testing\nNo.\n                                                                    AFS from DDRS-DCM enabled\n                                                                    DFAS personnel to ensure no\n                                                                    Journal Voucher adjustments\n                                                                    were made to the trial balance\n                                                                    subsequent to external reporting.\n\n                          8. Journal vouchers imported or keyed     Inspected the Journal Voucher       DFAS-Cleveland\n                          into DDRS-AFS from DDRS-DCM are           log in DDRS-AFS to determine        Inspection of the Journal Voucher\n                          assigned Journal Voucher control          whether it was sequentially         log showed that some numbers\n                          numbers prior to approval and, after      ordered, and, if breaks in the      were missing from the sequence of\n                          approval, are given sequential approved   sequence of control numbers         Journal Vouchers numbers as a\n                          Journal Voucher ID numbers; the           existed, whether they were          result of a trial balance and\n                          numerical sequence of each Journal        explained.                          associated Journal Vouchers being\n                          Voucher is accounted for to ensure that                                       deleted.\n                          all Journal Vouchers are processed        Confirmed, through\n                          timely.                                   corroborative inquiry, Journal\n                                                                    Vouchers imported or keyed into\n                                                                    DDRS-AFS from DDRS-DCM\n                                                                    were assigned Journal Voucher\n                                                                    control numbers prior to\n                                                                    approval and, after approval,\n                                                                    were given sequential approved\n                                                                    Journal Voucher ID numbers;\n                                                                    the numerical sequence of each\n                                                                    Journal Voucher was accounted\n                                                                    for to ensure that all Journal\n                                                                    Vouchers are processed timely.\n\n                          9. Journal vouchers for the reporting     Confirmed, through                  DFAS-Cleveland\n                          period are available to the reporting     corroborative inquiry, that         No relevant exceptions noted.\n                          activity for review of appropriateness    reports of Journal Vouchers for\n                          and authorization.                        the reporting period were sent to\n                                                                    the reporting activity for review\n                                                                    of appropriateness and\n                                                                    authorization.\n\n\n\n\n                                                         160\n\x0cCO\n               Control Objective                         Control Activity                       Test Procedure                    Results of Testing\nNo.\n3     Validation\n      Controls provide reasonable             1. Control totals over data entered       Inspected process for              DFAS-Cleveland\n      assurance that the DDRS-DCM has         directly into the DDRS-DCM ensure the     establishing Journal Vouchers in   No relevant exceptions noted.\n      systems or processes for determining    journal entries are in balance prior to   DDRS-AFS from DDRS-DCM\n      the quality and integrity of data       updating DDRS-AFS and are being           and confirmed that each cell in\n      flowing through the system, and trial   updated to the correct entity.            DDRS-DCM contains a Journal\n      balances are input and updated                                                    Voucher which must be in\n      completely and accurately.                                                        balance prior to updating\n                                                                                        DDRS-AFS.\n      Controls provide reasonable\n      assurance that data validation and                                                Confirmed, through\n      editing are performed to identify                                                 corroborative inquiry, that\n      erroneous data, and that erroneous                                                control totals over data entered\n      data are captured, reported,                                                      directly into the DDRS-DCM\n      investigated, and corrected.                                                      ensured the trial balance or\n                                                                                        journal entry was in balance\n                                                                                        prior to updating DDRS.\n\n                                              2. Transactions are automatically         Inspected the Journal Voucher      DFAS-Cleveland\n                                              assigned a unique sequence number.        log in DDRS-AFS to determine       Inspection of the Journal Voucher\n                                              (Only in a Journal Voucher output         whether it was sequentially        log showed that some numbers\n                                              process.)                                 ordered, and, if breaks in the     were missing from the sequence of\n                                                                                        sequence of control numbers        Journal Vouchers numbers as a\n                                                                                        existed, whether they were         result of a trial balance and\n                                                                                        explained.                         associated Journal Vouchers being\n                                                                                                                           deleted.\n                                                                                        Confirmed, through\n                                                                                        corroborative inquiry, that\n                                                                                        transactions were automatically\n                                                                                        assigned a unique sequence\n                                                                                        number. (Only in a Journal\n                                                                                        Voucher output process.)\n\n\n\n\n                                                                            161\n\x0cData Collection Module Interfacing\n\nCO\n               Control Objective                         Control Activity                      Test Procedure                      Results of Testing\nNo.\n 1    Validation\n      Controls provide reasonable             1. Controls over data entered directly   Inspected process for                DFAS-Indianapolis\n      assurance that DDRS has systems or      into DDRS-AFS from DDRS-DCM of           establishing Journal Vouchers in     DFAS-Cleveland\n      processes for determining the quality   DDRS ensure the journal entry is in      DDRS-AFS from DDRS-DCM\n      and integrity of data flowing through   balance prior to updating DDRS-AFS.      and confirmed that each cell in      No relevant exceptions noted.\n      the system, and balances are input                                               DDRS-DCM contains a Journal\n      and updated completely and                                                       Voucher which must be in\n      accurately.                                                                      balance prior to updating\n                                                                                       DDRS-AFS.\n\n                                                                                       Confirmed, through\n                                                                                       corroborative inquiry, that\n                                                                                       controls over data entered\n                                                                                       directly into the AFS Module\n                                                                                       from DDRS-DCM ensured the\n                                                                                       trial balance or journal entry was\n                                                                                       in balance prior to updating\n                                                                                       DDRS-DCM.\n\n                                              2. The data imported or keyed from       Inspected DDRS-DCM entries           DFAS-Arlington\n                                              DCM creates complete Journal             in DDRS-AFS and confirmed            DFAS-Columbus\n                                              Vouchers adjustments pending approval    the entries are approved.            DFAS-Indianapolis\n                                              by DFAS staff.\n                                                                                       Inspected audit logs in DDRS-        Although the Journal Vouchers\n                                                                                       AFS and determined that Journal      keyed into DDRS-AFS must be\n                                                                                       Vouchers had been approved.          approved, users are frequently re-\n                                                                                                                            keying data from DCM into AFS,\n                                                                                       Confirmed, through                   which can circumvent the systemic\n                                                                                       corroborative inquiry, that the      approval controls for DCM. At\n                                                                                       data imported or keyed in from       DFAS-Indianapolis, balances\n                                                                                       DCM created complete Journal         manually keyed into DDRS-AFS\n                                                                                       Vouchers adjustments pending         were not always approved.\n                                                                                       approval by DFAS staff.\n\n\n                                                                            162\n\x0cCO\n               Control Objective                         Control Activity                        Test Procedure                       Results of Testing\nNo.\n 2    Authorized Entry\n      Controls provide reasonable             1. Transmissions to DDRS-AFS were          Selected a random sample of          Controls were designed to provide\n      assurance that data transmissions       initiated automatically or by authorized   DFAS-AFS users to determine if       for access to DDRS-AFS on a\n      between DDRS-AFS and DDRS               personnel.                                 SAAR forms matched the access        center-level basis, instead of by\n      DCM are authorized, complete,                                                      provided.                            responsible work area. As such,\n      accurate and secure. Unbalanced trial                                                                                   the user may have access to\n      balances are flagged and not reported                                              Inspected a list of DDRS-AFS         information that they don\xe2\x80\x99t\n      until in balance.                                                                  users assigned the data              necessarily need.\n                                                                                         administrator role, which allows\n                                                                                         initiation of a transmission to      Out of 162 total SAAR forms\n                                                                                         DDRS-AFS, and the HQSA               tested for all DDRS-AFS users,\n                                                                                         role, to determine whether this      five related to users of the\n                                                                                         access was appropriate for their     DDRS_CFO_DATA_ADMIN role\n                                                                                         job responsibilities. HQSA is a      which provides users with this role\n                                                                                         powerful role that, while            the ability to import DCM\n                                                                                         necessary on a limited basis,        balances into DDRS-AFS. Of\n                                                                                         does not encompass the               these five users:\n                                                                                         principles of separation of duties   - One user had a SAAR form on\n                                                                                         and least privileges.                file dated prior to 2004, which did\n                                                                                         Inspected e-mail traffic to          not provide enough detail to\n                                                                                         confirm that DFAS Centers            indicate the user role or DFAS\n                                                                                         periodically review user access      center to which access should be\n                                                                                         for appropriateness.                 granted.\n                                                                                                                              - Two users had a post 2004\n                                                                                         Confirmed, through                   SAAR form on file, but the\n                                                                                         corroborative inquiry, that trial    DDRS-AFS role granted on the\n                                                                                         balance transmissions to DDRS-       form did not match access\n                                                                                         AFS were initiated automatically     provided in DDRS-AFS.\n                                                                                         or by authorized personnel.\n                                                                                                                              However, DFAS Centers\n                                                                                                                              periodically reviewed user access\n                                                                                                                              roles for appropriateness.\n\n                                                                                                                              Out of 162 total SAAR forms\n                                                                                                                              tested for all DDRS-AFS users, 12\n                                                                                                                              related to users of the\n                                                                                                                              DDRS_CFO_HQSA role which\n\n                                                                             163\n\x0cCO\n      Control Objective   Control Activity         Test Procedure           Results of Testing\nNo.\n                                                                    provides users with this role the\n                                                                    ability to assign and remove roles\n                                                                    in DDRS-AFS. Of these 12 users:\n                                                                    - Nine users had a SAAR form on\n                                                                    file dated prior to 2004, which did\n                                                                    not provide enough detail to\n                                                                    indicate the user role or DFAS\n                                                                    center to which access should be\n                                                                    granted.\n                                                                    - Two users had a post 2004\n                                                                    SAAR form on file, but the\n                                                                    DDRS-AFS role granted on the\n                                                                    form did not match access\n                                                                    provided in DDRS-AFS.\n                                                                    - One user did not have a SAAR\n                                                                    form available.\n\n                                                                    However, DFAS Centers\n                                                                    periodically reviewed user access\n                                                                    roles for appropriateness, but did\n                                                                    not determine whether these 12\n                                                                    HQSA users were appropriate.\n\n                                                                    Although DFAS Centers\n                                                                    periodically reviewed user access\n                                                                    roles for appropriateness, some of\n                                                                    the DFAS Centers had a\n                                                                    questionable number of users\n                                                                    assigned the HQSA role.\n                                                                    Specifically:\n                                                                    - DFAS-Arlington had 13 users\n                                                                    assigned the HQSA role.\n                                                                    - DFAS-Denver had 10 users\n                                                                    assigned the HQSA role.\n                                                                    - DFAS-Columbus had 17 users\n                                                                    assigned the HQSA role.\n\n\n\n                                             164\n\x0cCO\n               Control Objective                         Control Activity                    Test Procedure                    Results of Testing\nNo.\n                                                                                                                       DFAS-Arlington\n                                                                                                                       The DDRS-AFS SAAR form used\n                                                                                                                       prior to 2004 did not include\n                                                                                                                       specific role categories for which a\n                                                                                                                       user had been authorized.\n\n                                                                                                                       DFAS-Cleveland\n                                                                                                                       The trial uploads and balance\n                                                                                                                       adjustments entered into DDRS-\n                                                                                                                       AFS do not require approval prior\n                                                                                                                       to posting.\n\n                                                                                                                       DFAS-Denver\n                                                                                                                       A systems developer was assigned\n                                                                                                                       access to the production\n                                                                                                                       environment as a HQSA, which\n                                                                                                                       creates segregation of duties risks.\n\n 3    USSGL & Other Guidelines\n      Controls provide reasonable              1. DDRS-AFS transmissions from         Compared DDRS-AFS chart of       DFAS-Arlington\n      assurance that the DDRS-DCM              DDRS-DCM are consistent with that of   accounts with the USSGL to       DoD policies related to the\n      assists DDRS-AFS to produce              the USSGL as published by the U.S.     determine whether it was         preparation of financial statements\n      financial statements that conform to     Treasury.                              consistent with the USSGL.       and the template used for\n      the USSGL. Controls provide                                                                                      preparation of financial statements\n      reasonable assurance that any relevant                                          Confirmed, through               did not provide for reporting a\n      changes made to the USSGL by the                                                corroborative inquiry, that      significant amount of accounting\n      Treasury Department are included in                                             DDRS-AFS transmissions from      information required by the\n      the Reference Tables, and that                                                  DDRS-DCM were consistent         Federal Accounting Standards\n      changes to the tables are authorized                                            with that of the USSGL as        Advisory Board (FASAB) and\n      and approved.                                                                   published by the U.S. Treasury   Office of Management and Budget\n                                                                                      department and that the USSGL    (OMB) Bulletin 01-09. Also, the\n                                                                                      account tables for DDRS-DCM      mapping of accounts for the\n                                                                                      and DDRS-AFS were the same.      preparation of financial statements\n                                                                                                                       in several instances relied upon\n                                                                                                                       DoD general ledger accounts,\n                                                                                                                       instead of USSGL account codes.\n                                                                                                                       Furthermore, the mapping of\n\n                                                                            165\n\x0cCO\n      Control Objective               Control Activity                        Test Procedure                      Results of Testing\nNo.\n                                                                                                          accounts used for the preparation\n                                                                                                          of the Statement of Custodial\n                                                                                                          Activity did not conform to\n                                                                                                          Treasury requirements.\n\n                          2. Prior to each reporting period or on a   Compared DDRS-AFS module            DFAS-Arlington\n                          periodic basis, the USSGL is reviewed       chart of accounts to updates in     No relevant exceptions noted.\n                          for changes applicable to the DDRS-         the Quarterly Guidance to\n                          AFS Module from the Data Collection         determine if, prior to each\n                          Module chart of accounts to ensure          reporting period or on a periodic\n                          accuracy and pertinence.                    basis, the USSGL was reviewed\n                                                                      for changes applicable to the\n                                                                      DDRS-AFS module chart of\n                                                                      accounts.\n\n                                                                      Confirmed, through\n                                                                      corroborative inquiry, prior to\n                                                                      each reporting period or on a\n                                                                      periodic basis, the USSGL is\n                                                                      reviewed for changes applicable\n                                                                      to the DDRS-AFS Module from\n                                                                      the Data Collection Module\n                                                                      chart of accounts to ensure\n                                                                      accuracy and pertinence.\n                          3. Changes to the chart of accounts in      Obtained the DDRS-AFS offline       DFAS-Arlington\n                          DDRS-AFS Module from DDRS-DCM               change log maintained by            Although changes to the chart of\n                          are authorized, approved, and tested        DFAS-Arlington PMO to               account were documented in the\n                          prior to implementation.                    determine whether changes were      off-line change log, there was not a\n                                                                      authorized and approved.            documented process in place for\n                                                                                                          reviewing and authorizing the\n                                                                      Confirmed, through                  change.\n                                                                      corroborative inquiry, that\n                                                                      changes to the chart of accounts\n                                                                      in the DDRS-AFS Module from\n                                                                      the Data Collection Module\n                                                                      were authorized, approved, and\n                                                                      tested prior to implementation.\n\n                                                          166\n\x0cLocal Unique Processes\nCO\n               Control Objective                        Control Activity                      Test Procedure                     Results of Testing\nNo.\n 1    Local Unique Process\n      Controls provide reasonable            1. Output reports from reporting         Scanned output reports and         DFAS-Cleveland\n      assurance that trial balance data      activities feeder systems are from       evidence the output reports were   DFAS-Indianapolis\n      manually migrated into DDRS-AFS is     authorized personnel or source.          received from authorized           DFAS-Columbus\n      accurate, authorized, and complete.                                             personnel or source.               DFAS-Denver\n      Data from the Report on Budget\n      Execution and Budgetary Resources                                               Confirmed, through                 No relevant exceptions noted.\n      (SF-133) or feeder systems are input                                            corroborative inquiry, that\n      accurately into DDRS-AFS. Any                                                   output reports from reporting\n      reclassifications are authorized and                                            activities feeder systems are\n      approved and are monitored by an                                                from authorized personnel or\n      audit trail.                                                                    source.\n\n                                             2. Output reports from reporting         Scanned output reports and         DFAS-Cleveland\n                                             activities feeder systems are complete   evidence they were complete        DFAS-Columbus\n                                             and in balance.                          and in balance.\n                                                                                                                         Proprietary balances are derived\n                                                                                      Confirmed, through                 from budgetary accounts.\n                                                                                      corroborative inquiry, that\n                                                                                      output reports from reporting      Reconciling items remain\n                                                                                      activities feeder systems were     unresolved in the DDRS-AFS local\n                                                                                      complete and in balance.           unique process.\n\n                                                                                                                         DFAS-Columbus\n                                                                                                                         Performed estimated allocations of\n                                                                                                                         Trading Partner data.\n\n                                                                                                                         DFAS-Denver\n                                                                                                                          Budgetary balances are derived\n                                                                                                                         from proprietary accounts.\n                                                                                                                         Additionally, a modified version of\n                                                                                                                         the import sheet is used at DFAS-\n                                                                                                                         Denver which does not contain all\n                                                                                                                         the built in controls. However, the\n                                                                                                                         sheet does have a balancing\n                                                                           167\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                      Results of Testing\nNo.\n                                                                                                         formula and DDRS-AFS import\n                                                                                                         verification controls apply.\n\n                          3. Local unique processes to prepare the   Scanned output reports to           DFAS-Cleveland\n                          data for DDRS-AFS import are               determine if the local unique       DFAS-Columbus\n                          reviewed and approved.                     processes to prepare the data for   DFAS-Denver\n                                                                     DDRS-AFS import was\n                                                                     reviewed and approved.              Reviews and approvals did not\n                                                                                                         occur and there was no separation\n                                                                     Confirmed, through                  of duties in the uploading of\n                                                                     corroborative inquiry, that the     balances. However, the customer\n                                                                     local unique processes to prepare   confirmed the balances in DDRS.\n                                                                     the data for DDRS-AFS import\n                                                                     were reviewed and approved.         DFAS-Indianapolis\n                                                                                                         Uploads of the trial balance import\n                                                                                                         sheet were not required to be\n                                                                                                         approved.\n\n\n\n\n                          4. Adjustments made during the local       Inspected local unique process to   DFAS-Cleveland\n                          unique processes to prepare the data for   prepare the data for DDRS-AFS       Fiscal year end 2004 adjustments\n                          DDRS-AFS import are reviewed and           import and evidence that trial      to trial balances were not\n                          approved.                                  balance adjustments were            approved. At first quarter 2005,\n                                                                     reviewed and approved.              the trial balances adjustments were\n                                                                                                         approved in DDRS-AFS.\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that         DFAS-Denver\n                                                                     adjustments made during the         A single FICA equity adjustment\n                                                                     local unique processes to prepare   was made offline and was not\n                                                                     the data for DDRS-AFS import        reviewed and approved.\n                                                                     were reviewed and approved.\n\n\n\n                                                        168\n\x0cCO\n      Control Objective              Control Activity                        Test Procedure                      Results of Testing\nNo.\n                          5. Adjustments made during the local       Scanned the Microsoft Excel         DFAS-Cleveland\n                          unique processes to prepare the data for   worksheets to determine if          Trial balance adjustments at\n                          DDRS-AFS import are supported by an        adjustments made during the         quarter four 2004 were not\n                          audit trail.                               local unique processes to prepare   supported by an audit trail.\n                                                                     the data for DDRS-AFS import\n                                                                     were supported by an audit trail.   DFAS-Denver\n                                                                                                         Single FICA equity adjustment\n                                                                     Confirmed, through                  was made offline and was not\n                                                                     corroborative inquiry, that         supported by an audit trail.\n                                                                     adjustments made during the\n                                                                     local unique processes to prepare\n                                                                     the data for DDRS-AFS import\n                                                                     were supported by an audit trail.\n\n                          6. A closing date on reporting enables     Inspected the DDRS-AFS              DFAS-Arlington\n                          DFAS personnel to ensure no Journal        system audit log indicating the     No relevant exceptions noted.\n                          Voucher or trial balance adjustments are   lockout occurred and observed\n                          made to the trial balance subsequent to    that the lockout mechanism was\n                          external reporting.                        enabled prior to the release of\n                                                                     the statements to OMB, and that\n                                                                     the mechanism was effective in\n                                                                     preventing additional\n                                                                     adjustments to the financial\n                                                                     statements.\n\n                                                                     Confirmed, through\n                                                                     corroborative inquiry, that a\n                                                                     closing date on reporting\n                                                                     enabled DFAS personnel to\n                                                                     ensure no Journal Voucher or\n                                                                     trial balance adjustments were\n                                                                     made to the trial balance\n                                                                     subsequent to external reporting.\n\n\n\n\n                                                        169\n\x0cCO\n      Control Objective               Control Activity                       Test Procedure                       Results of Testing\nNo.\n                          7. Feeder system reports and trial        Scanned output reports to             DFAS-Cleveland\n                          balance uploads during the local unique   determine if feeder system            DFAS-Indianapolis\n                          processes to prepare the data for DDRS-   reports and trial balance uploads     DFAS-Columbus\n                          AFS import are based on the intended      during the local unique               DFAS-Denver\n                          reporting period.                         processes to prepare the data for\n                                                                    DDRS-AFS import were based            No relevant exceptions noted.\n                                                                    on the proper reporting period.\n\n                                                                    Confirmed, through\n                                                                    corroborative inquiry, that feeder\n                                                                    system reports and trial balance\n                                                                    uploads during the local unique\n                                                                    processes to prepare the data for\n                                                                    DDRS-AFS import were based\n                                                                    on the proper reporting period.\n\n                          8. Final balance numbers are confirmed    Inspected the contents of the         DFAS-Cleveland\n                          by the customer.                          Confirmation Letter issued by         DFAS-Indianapolis\n                                                                    the customer to signify the           DFAS-Columbus\n                                                                    review and acceptance of the          DFAS-Denver\n                                                                    financial statements prepared by\n                                                                    DFAS.                                 No relevant exceptions noted.\n\n                          9. All critical procedures were           Determined that all critical          DFAS-Cleveland\n                          documented.                               procedures were documented.           Local unique procedures for the\n                                                                                                          standard reporting checklist were\n                                                                    Confirmed, through                    documented but not implemented.\n                                                                    corroborative inquiry, all critical\n                                                                    procedures were documented.           DFAS-Columbus\n                                                                                                          Local unique data import process\n                                                                                                          was not standardized. Some\n                                                                                                          procedures were not clearly\n                                                                                                          documented.\n\n                                                                                                          DFAS-Denver\n                                                                                                          Procedures were not documented.\n\n\n\n                                                         170\n\x0cSection IV: Supplemental Information Provided by the Defense\n                Information Systems Agency\n\n\n\n\n                            171\n\x0c\x0cIV. Supplemental Information Provided by the Defense Information\n                       Systems Agency\n\nThis information has not been subjected to the procedures applied to the examination of\nthe description of controls presented in Sections II and III of this report, and accordingly,\nthe DoD OIG expresses no opinion regarding the completeness and accuracy of this\ninformation.\n\nTo accommodate a major disaster at any major DISA processing center, DISA has established\nthe DISA Continuity and Test Facility (DCTF) at Slidell, LA. This facility is equipped with\ncomputational, DASD (Direct Access Storage Device), and telecommunications resources sized\nto provide a fully functional host site with the capacity to support a major disaster at any DISA\nprocessing center.\n\nThe Continuity of Operations support agreement between DDRS, which is part of the DFAS\nCorporate Information Infrastructure (DCII), as the customer and DISA and as the provider of\nprocessing system and communications services, provides for restoring host site processing in\nthe event of a major disaster and the timely resolution of problems during other disruptions that\nadversely affect DDRS processing.\n\nThe enterprise backup process is managed by DISA DECC-Ogden. Backup tapes containing the\nincremental daily and the complete weekly backups are created at Ogden. The tapes are rotated\noff site to Iron Mountain near Salt Lake City, UT for storage on a predetermined schedule.\n\nThe Crisis Management Team (CMT) at DISA DECC-Ogden is responsible for declaring that a\ndisaster has occurred and initiating the Business Continuity Plan (BCP). The CMT will then\nactivate the following response teams: Communications Team (COMT), Recovery Coordination\nTeam (RCT), Site Recovery Team (SRT), and the Crisis Support Team (CST). Each team has a\nspecific set of responsibilities defined in the Business Continuity Plan. The contact information\nfor each individual on each team is also included in the Business Continuity Plan. The BCP is\nrequired to be evaluated on an annual basis.\n\nThe DDRS Continuity of Operations Plan (COOP) provides guidance on the DDRS software\nrestoration for emergencies, disasters, mobilization, and for maintaining a state of readiness to\nprovide the necessary level of information processing support commensurate with the mission\nrequirements and priorities identified by the functional proponent. The DDRS COOP was written\nto serve as a bridge between the customers\xe2\x80\x99 site-unique COOPs and the DECC Ogden BCP. An\nannual review of the DDRS COOP will be performed. A test of the COOP is conducted every\nthree years and consists of declaring one complete system platform inoperable at a given site.\n\n\n\n\n                                               173\n\x0c\x0c                 Acronyms and Abbreviations\nAIS       Automated Information System\nAMO       Acquisition Management Organization\nBCP       Business Continuity Plan\nCAC       Common Access Card\nCDOIM     Centralized Directorate for Information Management\nCMIS      Configuration Management Information System\nCOOP      Continuity of Operations\nDBA       Database Administrator\nDCM       Data Collection Module\nDDRS      Defense Departmental Reporting System\nDECC      Defense Enterprise Computing Center\nDFAS      Defense Finance and Accounting Service\nDISA      Defense Information Systems Agency\nDITSCAP   Department of Defense Information Technology Security Certification and\n          Accreditation Process\nDMZ       Demilitarized Zone\nDoD       Department of Defense\nDoD OIG   Department of Defense Office of Inspector General\nDOIM      Defense Office of Information Management\nFACTS     Federal Agencies Centralized Trial Balance System\nFASAB     Federal Accounting Standards Advisory Board\nFFMIA     Federal Financial Management Improvement Act\nFMR       Financial Management Regulation\nFRR       Functional Requirements Review\nFSO       Field Security Operations\nGCC       General Computer Control\nGMRA      Government Management Reform Act\nHQSA      Headquarters Security Administrator\nIA        Information Assurance\nIDS       Intrusion Detection System\nOMB       Office of Management and Budget\nPMO       Program Management Office\nPVCS      Program Version Control System\nSAAR      System Authorization Access Request\nSAS       Statement on Auditing Standards\nSLA       Service Level Agreement\nSQA       Software Quality Assurance\nSRR       Security Readiness Review\nSSAA      System Security Authorization Agreement\nSTIG      Security Technical Implementation Guidelines\nTSO       Technology Services Organization\n\n\n                                   175\n\x0cUSSGL   United States Standard General Ledger\nVPN     Virtual Private Network\n\n\n\n\n                                 176\n\x0c                                   Report Distribution\nOffice of the Secretary of Defense\n\nUnder Secretary of Defense (Comptroller/Chief Financial Officer)\n Deputy Chief Financial Officer\n Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\n\nDepartment of the Army\n\nAuditor General, Department of the Army\n\nDepartment of the Navy\n\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\n\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nCombatant Command\n\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\n\nDefense Finance and Accounting Service\nInspector General, Defense Information Systems Agency\nDirector, Defense Logistics Agency\n\nNon-Defense Federal Organizations and Individuals\n\nOffice of Management and Budget\nGovernment Accountability Office\n\nCongressional Committees and Subcommittees, Chairman and Ranking Minority Member\n\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\n\n\n                                             177\n\x0cHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee on\n   Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International Relations,\n   Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the\n   Census, Committee on Government Reform\n\n\n\n\n                                            178\n\x0cTeam Members\n\nThe Defense Financial Auditing Service, Department of Defense Office of Inspector General\nproduced this report.\n\nPaul J. Granetto\nPatricia A. Marsh\nAddie M. Beima\nMichael Perkins\nG. Marshall Grimes\nFrank C. Sonsini\nErnest Fine\nChanda D. Lee\nLaura Croniger\nRichard M. Ng\nLauren S. McLean\nStanley J. Arceneaux\nMahalakshmi Krishnam\nRandall D. Yoder\nEmily M. Caldwell\nJose V. Morales-Santiago\n\x0c'